Postgres Pro
Downloads
Home   >   mailing lists

Re: [pgadmin-support] SSH tunnel key exchange methods - Mailing list pgadmin-hackers

From Akshay Joshi
Subject Re: [pgadmin-support] SSH tunnel key exchange methods
Date
Msg-id CANxoLDdJRxU2itw=8GS98k7_+Pd1O6POs4DGauXkxWZC89P9aQ@mail.gmail.com
Whole thread Raw
Responses Re: [pgadmin-support] SSH tunnel key exchange methods  (Dave Page <dpage@pgadmin.org>)
Re: [pgadmin-support] SSH tunnel key exchange methods  (svoop_6cedifwf9e@delirium.ch)
List pgadmin-hackers
Tree view
Hi Dave 

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

Sven, how you have identified the key exchange algorithm used by libssh2, is there any way to identify using fingerprint or key??

On Mon, Nov 30, 2015 at 6:38 PM, Dave Page <dpage@pgadmin.org> wrote:
Ok, thanks Akshay.

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 30 Nov 2015, at 12:57, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave

On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org> wrote:
On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody
> should trust a connection established with SHA1 kexes in order to talk
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes?

   Today I'll look into it on priority and update accordingly.
 
       I have found that "diffie-hellman-group-exchange-sha256" support has been added to the libssh2 code on September 24, it's not released yet. Please check https://github.com/libssh2/libssh2/pull/48 . Today I have tried to update the libssh2, but facing some compilation issues which needs to be fixed. I am working on it and then check do we need to change our logic or libssh2 will automatically used  "diffie-hellman-group-exchange-sha256".
 

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



--
Akshay Joshi
Principal Software Engineer 


Phone: +91 20-3058-9517
Mobile: +91 976-788-8246



--
Akshay Joshi
Principal Software Engineer 


Phone: +91 20-3058-9517
Mobile: +91 976-788-8246



--
Akshay Joshi
Principal Software Engineer 


Phone: +91 20-3058-9517
Mobile: +91 976-788-8246
Attachment

pgadmin-hackers by date:

Previous
From: Ashesh Vashi
Date:
Subject: Re: pgagent job failing to halt on failed step
Next
From: Dave Page
Date:
Subject: Re: [pgadmin-support] SSH tunnel key exchange methods