guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: Connection failures
Date Wed, 24 Jan 2018 22:07:55 GMT
On Wed, Jan 24, 2018 at 2:02 PM, Mike Jumper <mike.jumper@guac-dev.org>
wrote:

> On Wed, Jan 24, 2018 at 11:49 AM, <harry.devine@faa.gov> wrote:
>
>> Did some more debugging.  When we try to connect to a server that is FIPS
>> 140-2 compliant, here’s what the algorithms that are expected are:
>>
>>
>>
>> When I try to connect via a Guacamole SSH session, here are the
>> algorithms being sent:
>>
>> debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-n
>> istp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha
>> 256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha
>> 512,diffie-hellman-group14-sha256,ext-info-c
>>
>> debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,
>> ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-
>> sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,
>> ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com
>> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-
>> sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
>>
>> debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-c
>> tr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
>>
>> debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-c
>> tr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
>>
>> debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,
>> hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
>> hmac-sha2-512-etm@openssh.com
>>
>> debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,
>> hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
>> hmac-sha2-512-etm@openssh.com
>>
>>
>>
>> Jan 24 14:42:38 carts sshd[6890]: FIPS mode initialized
>>
>> Jan 24 14:42:38 carts sshd[6890]: Unable to negotiate with 172.26.170.72
>> port 57948: no matching key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>> [preauth]
>>
>>
>>
>> Looks like, to me, that Guacamole isn’t sending the proper algorithms or
>> ciphers in its SSH request.  Not sure if the issue is in Guacamole itself
>> or in libssh2, which is 1.4.3 at the moment.
>>
>>
>>
>
> The connection handshake for SSH connections (key exchange, ciphers, etc.)
> is actually dictated internally by libssh2, so that much is out of
> Guacamole's control. Checking the current libssh2 source, the key exchange
> methods reported as rejected above are the only key exchange methods
> supported by libssh2:
>
> https://github.com/libssh2/libssh2/blob/bcd492163b71608f8e46cdc864741d
> 6c566ce9bc/src/kex.c#L1777-L1783
>
>
Correction: the version of libssh2 which you are using, 1.4.3, lacks
support for "diffie-hellman-group-exchange-sha256":

https://github.com/libssh2/libssh2/blob/f1cfa55b6064ba18fc0005713ed790da579361b5/src/kex.c#L939-L944

It was added via:

https://github.com/libssh2/libssh2/commit/fc4a969a0512e226de9b821496d20b9ddf53b741

which is apparently part of their 1.7.0 and 1.8.0 releases. I have not
checked whether those version support the ciphers and MACs that your server
requires, but updating to 1.7.0 or 1.8.0 should get you further in the
process. What you're looking for is impossible to achieve with libssh2
1.4.3.

- Mike

Mime
View raw message