| From: | svoop_6cedifwf9e(at)delirium(dot)ch |
|---|---|
| To: | pgAdmin Support <pgadmin-support(at)postgresql(dot)org> |
| Cc: | Dave Page <dpage(at)pgadmin(dot)org>, pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org>, Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com> |
| Subject: | Re: [pgadmin-support] SSH tunnel key exchange methods |
| Date: | 2015-12-02 17:16:22 |
| Message-ID: | CD40E294-0DB7-4380-BC6D-E5BCE8598FC8@delirium.ch |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers pgadmin-support |
> Sven, how you have identified the key exchange algorithm used by libssh2, is there any way to identify using fingerprint or key??
I'm looking at what sshd logs on the server end. Or you start sshd with the "-d" argument which logs to stdout and prevents sshd from being backgrounded.
You could also harden sshd by adding the following to sshd_config (don't forget to restart the deamon afterwards):
KexAlgorithms curve25519-sha256(at)libssh(dot)org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305(at)openssh(dot)com,aes256-gcm(at)openssh(dot)com,aes128-gcm(at)openssh(dot)com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm(at)openssh(dot)com,hmac-sha2-256-etm(at)openssh(dot)com,hmac-ripemd160-etm(at)openssh(dot)com,umac-128-etm(at)openssh(dot)com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128(at)openssh(dot)com
Since SHA1 is not listed as KexAlgorithms, if the connection is still possible, the client must have used SHA256.
Cheers, -sven
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ashesh Vashi | 2015-12-04 11:49:17 | pgAdmin 4 commit: Do validation before enabling the Save button. |
| Previous Message | Adam Pearson | 2015-12-02 13:58:00 | SSH tunnel key exchange methods |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2015-12-03 10:14:20 | Re: Greenplum warning message |
| Previous Message | Per Wigren | 2015-12-02 15:08:13 | Re: Greenplum warning message |