Re: [pgadmin-support] SSH tunnel key exchange methods - Mailing list pgadmin-hackers

Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave 

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\

ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2  -I../pgadmin/include -I../pgadmin/include/libssh2   -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO  -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\

mv -f $depbase.Tpo $depbase.Po

In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,

                 from libssh2/agent.c:41:

../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’

../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token

In file included from libssh2/agent.c:41:

../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)

../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’

../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’

../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)

../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’

libssh2/agent.c: In function ‘agent_connect_unix’:

libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast

make[3]: *** [libssh2/agent.o] Error 1

make[2]: *** [all] Error 2

make[1]: *** [all-recursive] Error 1

make: *** [all] Error 2

 

Sven, how you have identified the key exchange algorithm used by libssh2, is there any way to identify using fingerprint or key??

On Mon, Nov 30, 2015 at 6:38 PM, Dave Page <dpage@pgadmin.org> wrote:

Ok, thanks Akshay.

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 30 Nov 2015, at 12:57, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave

On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org> wrote:

On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody
> should trust a connection established with SHA1 kexes in order to talk
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes?

   Today I'll look into it on priority and update accordingly.

 

       I have found that "diffie-hellman-group-exchange-sha256" support has been added to the libssh2 code on September 24, it's not released yet. Please check https://github.com/libssh2/libssh2/pull/48 . Today I have tried to update the libssh2, but facing some compilation issues which needs to be fixed. I am working on it and then check do we need to change our logic or libssh2 will automatically used  "diffie-hellman-group-exchange-sha256".

 

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--

Akshay Joshi

Principal Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--

Akshay Joshi

Principal Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--

Akshay Joshi

Principal Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--

Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company