Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.80) (envelope-from ) id 1a3Gkv-0001qZ-Kd for pgadmin-support@arkaria.postgresql.org; Mon, 30 Nov 2015 05:12:05 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84) (envelope-from ) id 1a3Gku-0004d8-FF for pgadmin-support@arkaria.postgresql.org; Mon, 30 Nov 2015 05:12:04 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84) (envelope-from ) id 1a3GkV-0004Bq-Gk for pgadmin-support@postgresql.org; Mon, 30 Nov 2015 05:11:39 +0000 Received: from mail-ob0-x22c.google.com ([2607:f8b0:4003:c01::22c]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84) (envelope-from ) id 1a3GkS-0007M0-DL for pgadmin-support@postgresql.org; Mon, 30 Nov 2015 05:11:38 +0000 Received: by obbww6 with SMTP id ww6so118531904obb.0 for ; Sun, 29 Nov 2015 21:11:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=49bb9cx4iD6/ozh/it+HgguzvJlonO9bVVynwPP0zAo=; b=fDdEa38kzUdfA0ImRirADlLszOfFiJ+MgIcZY3UnzdI7yemdwHT6/Qayn25XTNc2Yv t6mSeDLuv0kRzaa8gTstgF+78XrwCluix107oj3S2f7PH47CSXk90MSv6hy0ybVRQwf/ gHLsNYu6sVATkvXYjBA1RxbFlEWFF1EXaBcjc3mEB1gZ1db8xDh9nzT/HwWWUHQU/dn5 M7swScLQW+ykptMKtYm4VNBNQ/hobtpAcTWWyOjOq5L2nkx0nDuE4mSVG3LpADa6qlWG RsiN0Vf/O1+1GyUuH4lM1Fq9lhpPIzhfbNXFhzc9jMkg/4WBIkznCnD1s8spv3Rx5c++ 0+6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=49bb9cx4iD6/ozh/it+HgguzvJlonO9bVVynwPP0zAo=; b=mVOwZmrUgWIMwarGsLPG/UCNI9ZEalpG3CXF7AOUDl//rQ9sUi8TRsLdGsReCn/mgX I+cEJGT7QrUimRxZbTTZA1vOclTwXCZ0/X0p1pmeCXHHUdCpJ6KOPrDE496fa1Ta5dEN ZRmhmUFME3NpvFMxWOOWKF+keAkNQ8Trj+QjbEsffefHIkrw47QJrdI9zzwVB4YUoUq4 3zrF6YMLQzeZanuXkpgfVSTKlS3bkbTeROCjUCqewdbue93IgoYJWGjVDUIXFyOoITO8 +6DqqQdq1EL90qR7WUKDVVr6YSX8JoZrsMAAGQztgvF5z83d48bAsTwFa2Ups/rLANhX K+eQ== X-Gm-Message-State: ALoCoQkLKXQy3hEvqw0EPH9A7DD4ZayrvNf01f5Zia/pkqFAEiu3YvEqoCJBtNpRd5Xs2SXfM9yF MIME-Version: 1.0 X-Received: by 10.182.200.201 with SMTP id ju9mr5397646obc.30.1448860295093; Sun, 29 Nov 2015 21:11:35 -0800 (PST) Received: by 10.202.80.5 with HTTP; Sun, 29 Nov 2015 21:11:35 -0800 (PST) In-Reply-To: References: Date: Mon, 30 Nov 2015 10:41:35 +0530 Message-ID: Subject: Re: SSH tunnel key exchange methods From: Akshay Joshi To: Dave Page Cc: Sven , pgAdmin Support Content-Type: multipart/alternative; boundary=001a11c2528438003b0525bb1395 X-Pg-Spam-Score: -2.6 (--) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgadmin-support Precedence: bulk Sender: pgadmin-support-owner@postgresql.org --001a11c2528438003b0525bb1395 Content-Type: text/plain; charset=UTF-8 Hi Dave On Fri, Nov 27, 2015 at 3:01 PM, Dave Page wrote: > On Fri, Nov 27, 2015 at 9:23 AM, Sven > wrote: > >> The key exchange methods offered when opening an SSH tunnel are all > >> SHA1 and therefore too weak: > >> > >> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching > >> key exchange method found. Their offer: > >> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1, > >> diffie-hellman-group1-sha1 [preauth] > > > > Any news on this? If there's no easy way to add safer kexes, I suggest > > you disable the SSH feature altogether. SHA1 is dead and IMO nobody > > should trust a connection established with SHA1 kexes in order to talk > > to databases. > > Akshay, you know that code best of all. How do we enable safer kexes? > Today I'll look into it on priority and update accordingly. > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > -- *Akshay Joshi* *Principal Software Engineer * *Phone: +91 20-3058-9517Mobile: +91 976-788-8246* --001a11c2528438003b0525bb1395 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org&g= t; wrote:
On Fri,= Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are al= l
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matchin= g
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1, >> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I sug= gest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody > should trust a connection established with SHA1 kexes in order to talk=
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes= ?

=C2=A0 =C2=A0Today I'll look into= it on priority and update accordingly.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



--
Akshay Joshi
= Principal Software En= gineer=C2=A0


Phone: +91 20-3058-9517
Mobile: +91 976-788-8246=
--001a11c2528438003b0525bb1395--