Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.80) (envelope-from ) id 1a443m-0006is-6a for pgadmin-support@arkaria.postgresql.org; Wed, 02 Dec 2015 09:50:50 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84) (envelope-from ) id 1a443l-0006K3-73 for pgadmin-support@arkaria.postgresql.org; Wed, 02 Dec 2015 09:50:49 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84) (envelope-from ) id 1a443k-0006Ju-NB for pgadmin-support@postgresql.org; Wed, 02 Dec 2015 09:50:48 +0000 Received: from mail-io0-x236.google.com ([2607:f8b0:4001:c06::236]) by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84) (envelope-from ) id 1a443f-0007AB-HT for pgadmin-support@postgresql.org; Wed, 02 Dec 2015 09:50:47 +0000 Received: by ioc74 with SMTP id 74so39723205ioc.2 for ; Wed, 02 Dec 2015 01:50:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgadmin-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5cB8wPiymf+UEW/kzsB4JK4nC3dggb2NxkDbgIhpzQE=; b=gMVsbBFdPS9ZgbwV9+0tuz+BKFKULlHdVTP29tgcpN+Fk9ZnDDfQWWl+FtvW9doSsq xWAYcM4RbJkN5o2aiLIHt8CiEx3vNpkKzXS3phUd5LVMNW00OKu6xLGSOfewoXhOV+v2 rWzTKcjNwA+ZIjTJ6DB2FRq5day8b2moz660zSwDizaFjJqbz11Xoke3uP1HiENJbDly SX4LjYlw0CxcBx8pmLWN6t8eB0AtgFymw3cxM4iu2cL7MjWxJVcinxJyfRsOTzjI0wwu KAo/Z2o6p3+euQOouhBhFzUdAfSHZxwtTmHUU39wubnI0m/KwRl4vUqKSkhRy7IGECfb NIZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=5cB8wPiymf+UEW/kzsB4JK4nC3dggb2NxkDbgIhpzQE=; b=KjV3B1v2gfeIw9UI6W6tLPRhkX6yoSFRQGV+2FdVlojB3zRf3dk1YoM02t+/Lrf+ek 5FyiopHoHHiMgKGiqlJbN+fVBAtGTXM1Bweo1HEE2w2dURGit6DoqJ32DIvWpd9zYMXk 9Zhrv4b59sZzzYnRuwzGJJpn2xmD/28GQgJMvPaBaWg1WFB+crq6hxuTlOaLUUGtB5Y1 4bvUXXZfDl0idwd9Z77FuFwt1GGQJqYFPIIZ9H+C88OGCk7SzY3pyFoeEgtFTgfcX/EL 8YZbKP3C8sMk4zBvJyZj7zyWAohcTK5rqrOdJyD58l8W9O34k7PX/2slf3AhCGRJPll5 qvbA== X-Gm-Message-State: ALoCoQkAUOwX21vnDq7plwraFgJ2HsPTzLVsTkk42Y65pOmRV3gduD8A49WnNldHH2lf3C6bBqwF MIME-Version: 1.0 X-Received: by 10.107.158.10 with SMTP id h10mr2778303ioe.63.1449049841480; Wed, 02 Dec 2015 01:50:41 -0800 (PST) Received: by 10.64.5.234 with HTTP; Wed, 2 Dec 2015 01:50:41 -0800 (PST) In-Reply-To: References: <48AA5EAC-64A6-466E-9900-E32EDD4187C0@pgadmin.org> Date: Wed, 2 Dec 2015 09:50:41 +0000 Message-ID: Subject: Re: SSH tunnel key exchange methods From: Dave Page To: Akshay Joshi Cc: Sven , pgAdmin Support , pgadmin-hackers Content-Type: multipart/alternative; boundary=001a11407968104c040525e73514 X-Pg-Spam-Score: -2.6 (--) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgadmin-support Precedence: bulk Sender: pgadmin-support-owner@postgresql.org --001a11407968104c040525e73514 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi wrote: > Hi Dave > > I have updated the *libssh2* library with the latest available code on > their git repository. The new code used "diffie-hellman-group-exchange-sh= a256" algorithm for > key exchange and they also fixed some memory leak. I have verified it by > putting the breakpoint in the libssh2 code, so when we called " > libssh2_session_init()" it will automatically call "static int diffie_ > hellman_sha256(...)" function, but I don't know exactly how to identify > the key exchange method (sha1 or sha256) used by the latest libssh2 libra= ry. > > I have tested the pgadmin3 after updating the libssh2 library on CentOS > 6.5 (64 bit) and it works fine. I have also modified the code to add > human readable error message returned by the library. Attached is the > patch file. Can you please review it and if it looks good can you please > commit the code. > I'm seeing the following build error on OS X 10.7: depbase=3D`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=3D64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\ mv -f $depbase.Tpo $depbase.Po In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136, from libssh2/agent.c:41: ../pgadmin/include/libssh2/crypto.h:53: error: expected =E2=80=98)=E2=80=99= before =E2=80=98*=E2=80=99 token ../pgadmin/include/libssh2/crypto.h:69: error: expected =E2=80=98)=E2=80=99= before =E2=80=98*=E2=80=99 token ../pgadmin/include/libssh2/crypto.h:73: error: expected =E2=80=98)=E2=80=99= before =E2=80=98*=E2=80=99 token ../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or =E2=80=98...=E2=80=99 before =E2=80=98libssh2_rsa_ctx=E2=80= =99 ../pgadmin/include/libssh2/crypto.h:83: error: expected =E2=80=98)=E2=80=99= before =E2=80=98*=E2=80=99 token ../pgadmin/include/libssh2/crypto.h:115: error: expected =E2=80=98)=E2=80= =99 before =E2=80=98*=E2=80=99 token ../pgadmin/include/libssh2/crypto.h:120: error: expected =E2=80=98)=E2=80= =99 before =E2=80=98*=E2=80=99 token In file included from libssh2/agent.c:41: ../pgadmin/include/libssh2/libssh2_priv.h:240: error: =E2=80=98SHA256_DIGEST_LENGTH=E2=80=99 undeclared here (not in a function) ../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before =E2=80=98_libssh2_bn_ctx=E2=80=99 ../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before =E2=80=98_libssh2_bn=E2=80=99 ../pgadmin/include/libssh2/libssh2_priv.h:604: error: =E2=80=98SHA_DIGEST_L= ENGTH=E2=80=99 undeclared here (not in a function) ../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before =E2=80=98_libssh2_cipher_type=E2=80=99 libssh2/agent.c: In function =E2=80=98agent_connect_unix=E2=80=99: libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast make[3]: *** [libssh2/agent.o] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 > > Sven, how you have identified the key exchange algorithm used by libssh2, > is there any way to identify using fingerprint or key?? > > On Mon, Nov 30, 2015 at 6:38 PM, Dave Page wrote: > >> Ok, thanks Akshay. >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EnterpriseDB UK:http://www.enterprisedb.com >> The Enterprise PostgreSQL Company >> >> On 30 Nov 2015, at 12:57, Akshay Joshi >> wrote: >> >> Hi Dave >> >> On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi > .com> wrote: >> >>> Hi Dave >>> >>> On Fri, Nov 27, 2015 at 3:01 PM, Dave Page wrote: >>> >>>> On Fri, Nov 27, 2015 at 9:23 AM, Sven >>>> wrote: >>>> >> The key exchange methods offered when opening an SSH tunnel are all >>>> >> SHA1 and therefore too weak: >>>> >> >>>> >> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching >>>> >> key exchange method found. Their offer: >>>> >> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1, >>>> >> diffie-hellman-group1-sha1 [preauth] >>>> > >>>> > Any news on this? If there's no easy way to add safer kexes, I sugge= st >>>> > you disable the SSH feature altogether. SHA1 is dead and IMO nobody >>>> > should trust a connection established with SHA1 kexes in order to ta= lk >>>> > to databases. >>>> >>>> Akshay, you know that code best of all. How do we enable safer kexes? >>>> >>> >>> Today I'll look into it on priority and update accordingly. >>> >> >> I have found that "diffie-hellman-group-exchange-sha256" support >> has been added to the libssh2 code on September 24, it's not released ye= t. >> Please check https://github.com/libssh2/libssh2/pull/48 . Today I have >> tried to update the libssh2, but facing some compilation issues which ne= eds >> to be fixed. I am working on it and then check do we need to change our >> logic or libssh2 will automatically used "diffie-hellman >> -group-exchange-sha256". >> >> >>> >>>> -- >>>> Dave Page >>>> Blog: http://pgsnake.blogspot.com >>>> Twitter: @pgsnake >>>> >>>> EnterpriseDB UK: http://www.enterprisedb.com >>>> The Enterprise PostgreSQL Company >>>> >>> >>> >>> >>> -- >>> *Akshay Joshi* >>> *Principal Software Engineer * >>> >>> >>> >>> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517>Mobile: +91 976-788-8246= * >>> >> >> >> >> -- >> *Akshay Joshi* >> *Principal Software Engineer * >> >> >> >> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517>Mobile: +91 976-788-8246* >> >> > > > -- > *Akshay Joshi* > *Principal Software Engineer * > > > > *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517>Mobile: +91 976-788-8246* > --=20 Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company --001a11407968104c040525e73514 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@e= nterprisedb.com> wrote:
= Hi Dave=C2=A0

I have updated the libssh2 library = with the latest available code on their git repository. The new code used= =C2=A0"diffie-hellman-group-exchan= ge-sha256"=C2=A0algorithm=C2=A0for key=C2=A0exchange and they also fix= ed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it wil= l automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1= or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on C= entOS 6.5 (64 bit) and it works fine. I have also modified the code = to add human=C2=A0readable error=C2=A0message returned by the library.=C2= =A0Attached is the patch file. Can = you please review it and if it looks good can you please commit the code.

I'm seeing the follow= ing build error on OS X 10.7:

depbase=3D`echo= libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
ccache gcc -Qunused-ar= guments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 =C2=A0-I../pg= admin/include -I../pgadmin/include/libssh2 =C2=A0 -I/usr/local/pgsql-9.5/in= clude -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include = -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-rele= ase-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=3D64 -D_LARG= E_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/lo= cal/include/libxml2 -DHAVE_OPENSSL_CRYPTO =C2=A0-O2 -MT libssh2/agent.o -MD= -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
mv -f $depbase.Tp= o $depbase.Po
In file included from ../pgadmin/include/libssh2/li= bssh2_priv.h:136,
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0from libssh2/agent.c:41:
../pgadmin/include/libs= sh2/crypto.h:53: error: expected =E2=80=98)=E2=80=99 before =E2=80=98*=E2= =80=99 token
../pgadmin/include/libssh2/crypto.h:69: error: expec= ted =E2=80=98)=E2=80=99 before =E2=80=98*=E2=80=99 token
../pgadm= in/include/libssh2/crypto.h:73: error: expected =E2=80=98)=E2=80=99 before = =E2=80=98*=E2=80=99 token
../pgadmin/include/libssh2/crypto.h:78:= error: expected declaration specifiers or =E2=80=98...=E2=80=99 before =E2= =80=98libssh2_rsa_ctx=E2=80=99
../pgadmin/include/libssh2/crypto.= h:83: error: expected =E2=80=98)=E2=80=99 before =E2=80=98*=E2=80=99 token<= /div>
../pgadmin/include/libssh2/crypto.h:115: error: expected =E2=80= =98)=E2=80=99 before =E2=80=98*=E2=80=99 token
../pgadmin/include= /libssh2/crypto.h:120: error: expected =E2=80=98)=E2=80=99 before =E2=80=98= *=E2=80=99 token
In file included from libssh2/agent.c:41:
<= div>../pgadmin/include/libssh2/libssh2_priv.h:240: error: =E2=80=98SHA256_D= IGEST_LENGTH=E2=80=99 undeclared here (not in a function)
../pgad= min/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier= -list before =E2=80=98_libssh2_bn_ctx=E2=80=99
../pgadmin/include= /libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list befor= e =E2=80=98_libssh2_bn=E2=80=99
../pgadmin/include/libssh2/libssh= 2_priv.h:604: error: =E2=80=98SHA_DIGEST_LENGTH=E2=80=99 undeclared here (n= ot in a function)
../pgadmin/include/libssh2/libssh2_priv.h:899: = error: expected specifier-qualifier-list before =E2=80=98_libssh2_cipher_ty= pe=E2=80=99
libssh2/agent.c: In function =E2=80=98agent_connect_u= nix=E2=80=99:
libssh2/agent.c:150: warning: assignment makes poin= ter from integer without a cast
make[3]: *** [libssh2/agent.o] Er= ror 1
make[2]: *** [all] Error 2
make[1]: *** [all-recu= rsive] Error 1
make: *** [all] Error 2

=
=C2=A0

Sven, = how you have identified the key exchange algorithm used by libssh2, is ther= e any way to identify using fingerprint or key??

On Mon, Nov 30, 2015 at 6:38 PM, Dave Page <dpage@p= gadmin.org> wrote:
Ok, thanks Akshay.

--=C2=A0
Dave Page
Blog:=C2=A0http://pgsnake.blogspot.com
Twitter: = @pgsnake

EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQ= L Company

On 30 Nov 2015, at 12:57, A= kshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave
On Mon, Nov 30, 2015 at 10:41 AM, Akshay= Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.o= rg> wrote:
On Fri, Nov 27, 2015 at = 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are al= l
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matchin= g
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1, >> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I sug= gest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody > should trust a connection established with SHA1 kexes in order to talk=
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes= ?

=C2=A0 =C2=A0Today I'll lo= ok into it on priority and update accordingly.
=C2=A0
=C2=A0 =C2=A0 =C2=A0 =C2=A0I have found that = "diffie-hellman-group-exchange-sha256" = support has been added to the libssh2 code on September 24, it's not re= leased yet. Please check=C2=A0https://github.com/libssh2/libssh2= /pull/48=C2=A0. Today I have tried to update the libssh2, but facing so= me compilation issues which needs to be fixed. I am working on it and then = check do we need to change our logic or libssh2 will automatically used =C2= =A0"diffie-hellman-group-exchange-sha256&quo= t;.
=C2=A0

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

<= br clear=3D"all">

--
Akshay Joshi=
Principal = Software Engineer=C2=A0


Phone: +91 20-3058-9517
Mobile: +91 976-788-824= 6



--
= Akshay Joshi
Principal Software Engineer=C2=A0


Phone: <= a href=3D"tel:%2B91%2020-3058-9517" value=3D"+912030589517" target=3D"_blan= k">+91 20-3058-9517
Mobile: +91 976-788-8246
=



--
Akshay Joshi
Principal Software Engin= eer=C2=A0

<= b>

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246



--
=
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter= : @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise Postgre= SQL Company
--001a11407968104c040525e73514--