Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.80) (envelope-from ) id 1a3OCf-0000v0-Jt for pgadmin-support@arkaria.postgresql.org; Mon, 30 Nov 2015 13:09:13 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84) (envelope-from ) id 1a3OCe-0004uV-H4 for pgadmin-support@arkaria.postgresql.org; Mon, 30 Nov 2015 13:09:12 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84) (envelope-from ) id 1a3OCF-0004SP-FL for pgadmin-support@postgresql.org; Mon, 30 Nov 2015 13:08:47 +0000 Received: from mail-wm0-x230.google.com ([2a00:1450:400c:c09::230]) by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84) (envelope-from ) id 1a3OCB-0001NX-If for pgadmin-support@postgresql.org; Mon, 30 Nov 2015 13:08:46 +0000 Received: by wmec201 with SMTP id c201so154692989wme.0 for ; Mon, 30 Nov 2015 05:08:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgadmin-org.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Ob5bdb6vT2ayqDXZ1r5fQv90uBb6JoNPpzoYvvTkqlE=; b=nh3n7ziLh3xSvr3sysjyr3iNm0TVfpovCxDCxccnV9pwf4o/9UTP517Jx5HnIK+sUO zMwIIVkDff9D9DI0Z2Wtc3qwGnR5F0lRouN1GIKEModlhKb6Bs0kPYDFHLc1lGiYnYcf +cO9hMvIM4RE+zrwNbs+WOr6T5jQoitCEluDplsoP+F+bJn50B+icB5Asp0E4TmuM/Du G482fCDuQ7XAoWm59gJIsvoB3KWMKOp+toDxpR2D2Du8TwcH32p4+81u7FgFSTkOhFLM y4PWfAwDLpZr4NkJHAGEpXgqU5KPgRqDU7dA4s5LXmqA7LqFRm7PtsM5GHyQgsGa/t6S N8fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=Ob5bdb6vT2ayqDXZ1r5fQv90uBb6JoNPpzoYvvTkqlE=; b=Rf4k+Q9vLblTu2riyfHeF/mWWkoYVaqqkp5m+YQecvhCa0oSP2Wbz8JXnsMGN/fTQc lV0y1CEkCsAy1leBVXNVSaOpNaPAsgjEZy1IMT+cmorE0UBbwV6vzPyDsbpTzVAs+qY9 xQj3S5+/sdwaJjVJJYDVG18LPdaBzdJgyR5IIvseCkA+Jm0PCtaljMbEPIrvkt4PxAur vK/hYws2MS9JTpdw/FLK/3slLyz4X3h6fE4C6BrmeLzSYxrfHjEN2Uy7JNv5CZKFHCYc PQ+L0dEmsYhFvPDVaqu/NKcClbNvGKGmqt2+dJaBYa/vsMydFtWkDNQO3oBrJMxw4p3E sObQ== X-Gm-Message-State: ALoCoQm8Ie+kFwWmX3egcwQDuIcTYNgkyxJ70qERY0STdG8bXSQJcKf3sXVZgPcNaFGG/HfQAr0h X-Received: by 10.194.222.104 with SMTP id ql8mr43060137wjc.157.1448888922358; Mon, 30 Nov 2015 05:08:42 -0800 (PST) Received: from [192.168.0.5] ([94.1.52.155]) by smtp.gmail.com with ESMTPSA id k133sm21431506wmg.18.2015.11.30.05.08.39 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 30 Nov 2015 05:08:40 -0800 (PST) Content-Type: multipart/alternative; boundary=Apple-Mail-D80B0AF2-29A2-462D-AD29-0B9BABB257DC Mime-Version: 1.0 (1.0) Subject: Re: SSH tunnel key exchange methods From: Dave Page X-Mailer: iPhone Mail (13B143) In-Reply-To: Date: Mon, 30 Nov 2015 13:08:38 +0000 Cc: Sven , pgAdmin Support Content-Transfer-Encoding: 7bit Message-Id: <48AA5EAC-64A6-466E-9900-E32EDD4187C0@pgadmin.org> References: To: Akshay Joshi X-Pg-Spam-Score: -2.6 (--) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgadmin-support Precedence: bulk Sender: pgadmin-support-owner@postgresql.org --Apple-Mail-D80B0AF2-29A2-462D-AD29-0B9BABB257DC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Ok, thanks Akshay. --=20 Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK:http://www.enterprisedb.com The Enterprise PostgreSQL Company > On 30 Nov 2015, at 12:57, Akshay Joshi wro= te: >=20 > Hi Dave >=20 >> On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi wrote: >> Hi Dave >>=20 >>> On Fri, Nov 27, 2015 at 3:01 PM, Dave Page wrote: >>> On Fri, Nov 27, 2015 at 9:23 AM, Sven wro= te: >>> >> The key exchange methods offered when opening an SSH tunnel are all >>> >> SHA1 and therefore too weak: >>> >> >>> >> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching >>> >> key exchange method found. Their offer: >>> >> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1, >>> >> diffie-hellman-group1-sha1 [preauth] >>> > >>> > Any news on this? If there's no easy way to add safer kexes, I suggest= >>> > you disable the SSH feature altogether. SHA1 is dead and IMO nobody >>> > should trust a connection established with SHA1 kexes in order to talk= >>> > to databases. >>>=20 >>> Akshay, you know that code best of all. How do we enable safer kexes? >>=20 >> Today I'll look into it on priority and update accordingly. > =20 > I have found that "diffie-hellman-group-exchange-sha256" support ha= s been added to the libssh2 code on September 24, it's not released yet. Ple= ase check https://github.com/libssh2/libssh2/pull/48 . Today I have tried to= update the libssh2, but facing some compilation issues which needs to be fi= xed. I am working on it and then check do we need to change our logic or lib= ssh2 will automatically used "diffie-hellman-group-exchange-sha256". > =20 >>>=20 >>> -- >>> Dave Page >>> Blog: http://pgsnake.blogspot.com >>> Twitter: @pgsnake >>>=20 >>> EnterpriseDB UK: http://www.enterprisedb.com >>> The Enterprise PostgreSQL Company >>=20 >>=20 >>=20 >> --=20 >> Akshay Joshi >> Principal Software Engineer=20 >>=20 >>=20 >>=20 >> Phone: +91 20-3058-9517 >> Mobile: +91 976-788-8246 >=20 >=20 >=20 > --=20 > Akshay Joshi > Principal Software Engineer=20 >=20 >=20 >=20 > Phone: +91 20-3058-9517 > Mobile: +91 976-788-8246 --Apple-Mail-D80B0AF2-29A2-462D-AD29-0B9BABB257DC Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Ok, thanks Akshay.

-- 
Dave Page
Blog:&n= bsp;ht= tp://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK:http://= www.enterprisedb.com
The Enterprise PostgreSQL Company

On 30 Nov 2015, at 12:57, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

<= /div>
Hi Dave

On Mon, Nov 30, 2015 at 10:41 AM, <= span class=3D"" id=3D":32f.1" tabindex=3D"-1">Akshay Joshi <akshay.joshi@ent= erprisedb.com> wrote:
Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org>= wrote:
On Fri, Nov 27, 2015 at 9:23 AM, Sven &= lt;svoop_6= cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all=
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching=
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
= >> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest<= br> > you disable the SSH feature altogether. SHA1 is dead and IMO nobody
= > should trust a connection established with SHA1 kexes in order to talk<= br> > to databases.

Akshay, you know that code best of all. How do we enable safer kexes?=

   Today I'll look int= o it on priority and update accordingly.
 
       I have found that "diffie-hellman-group-exchange-sha256" support has b= een added to the libssh2 code on September 24, it's not released yet. Please= check https://<= span class=3D"" id=3D":32f.8" tabindex=3D"-1">github.com/libssh2/libs= sh2/pull/48 . Today I have tried to update the libssh2, but facing s= ome compilation issues which needs to be fixed. I am working on it and then c= heck do we need to change our logic or libssh2 will automatically used  = ;"diffie-hellman-group-exchange-sha256".
 

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



--
= Akshay Joshi=
Princ= ipal Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246



--
Akshay Joshi
Princip= al Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246=
= --Apple-Mail-D80B0AF2-29A2-462D-AD29-0B9BABB257DC--