Far-NetBox icon indicating copy to clipboard operation
Far-NetBox copied to clipboard

Published 20 hours ago verified publisher icon michaellukashov

Diffie-Hellman group exchange KEX is obsolete

Open mmozeiko opened this issue 9 years ago • 17 comments

OpenSSH 6.9 version have disabled obsolete form of KEX "Diffie-Hellman group exchange" algorithm (source and this). sshd log shows "sshd error Hm, kex protocol error: type 30 seq 1 [preauth]" message when NetBox tries to connect to it.

Using NetBox to connect such server simply hangs forever. One solution is to move "Diffie-Hellman group exchange" KEX to last position in "Algorithm selection policy" setting. Preferably "ECDH key exchange" like in putty should be implemented.

mmozeiko avatar Jul 14 '15 03:07 mmozeiko

Please, temporary disable this options. WinSCP based old PuTTY code and can't full support new OpenSSL 1.02d changes. Yesterday I watched with a time delay after the OpenSSL ToolKit output supports his version of WinSCP and I get it about a week, sometimes longer, and in the new OpenSSL v1.0.2d eliminate the risk of the vulnerability CVE-2015-1793 (http://www.openssl.org/news/secadv_20150709.txt) which is not eliminated in PuTTY / WinSCP.

VictorVG avatar Jul 14 '15 11:07 VictorVG

I'm pretty sure this has nothing to do with OpenSSL and CVE-2015-1793. This is OpenSSH change that happened in 6.9 version. Here's the same problem reported on WinSCP forum: https://winscp.net/forum/viewtopic.php?t=15626

mmozeiko avatar Jul 14 '15 15:07 mmozeiko

Yes, I've seen it since yesterday a similar question was asked in http://forum.ru-board.com/topic.cgi?forum=5&topic=31718&start=7040#2 and one of the solutions found - update Far. In fact, it would be necessary to correct the WinSCP and PuTTY, and NetBox is bypassing the mistakes of others that we can not guarantee that they will not get out again later.

VictorVG avatar Jul 14 '15 16:07 VictorVG

When I try to update Far to latest nightly build (4401) - it crashes when connecting to scp/sftp server:

Exception:   Access violation (write to 0x00007FFFA9FA4C48)
Address:     0x00007FFFA9F04393
Function:    ProcessPanelInputW

Not sure if needed, but I tried deleting pluginchache64/32.db - it doesn't help. Still a crash. Currently I'm using 4378 build which works fine if I move down DH group exchange in Algorithm selection policy.

mmozeiko avatar Jul 14 '15 16:07 mmozeiko

This error is known - http://bugs.farmanager.com/view.php?id=3018 and naturally corrected.

VictorVG avatar Jul 14 '15 17:07 VictorVG

Please, check v2.1.43.392 - links - https://github.com/michaellukashov/Far-NetBox/issues/155#issuecomment-120160217

VictorVG avatar Jul 14 '15 20:07 VictorVG

With that 4401 build doesn't crash on connect. I still need to disable DH group exchange KEX. But at then end of authentication it shows "Incorrect or damaged C:\Program Files\Far Manager\Plugins\NetBox\NetBoxEng.lng Message 2106 not found" error and exits connection.

mmozeiko avatar Jul 14 '15 21:07 mmozeiko

SHA-256 for NetBoxEng.lng and NetBoxRus.lng is:

a2a958b7d13fe50105aa9ee1faabe7a74e72e7331c2b1bafc6de6771003bfa9c *NetBoxEng.lng 2e21bfc8169d2d0feddee7284e73038c1623f5d251776521c02930523f8a200c *NetBoxRus.lng

.lng files not changes after v2.1.43.390. Please, check local copy...

VictorVG avatar Jul 14 '15 22:07 VictorVG

Yes, NetBoxEng.lng has correct checksum (a2a9...fa9c). Replacing it with NetboxRus.lng gives me same error. If it helps, here's the output from NetBox log if I enable "Debug 2" level: http://pastebin.com/gjMfRnmh

mmozeiko avatar Jul 14 '15 23:07 mmozeiko

Yes, it seems really language modules is to look for improvements.

VictorVG avatar Jul 14 '15 23:07 VictorVG

Added - http://forum.farmanager.com/viewtopic.php?p=131198#p131198 some problems...

VictorVG avatar Jul 15 '15 14:07 VictorVG

For testing:

NetBox 2.1.43.393 15.07.2015

  • Bugfix: Message 2106 not found (http://forum.farmanager.com/viewtopic.php?p=131198#p131198)
  • Bugfix: AV trying to open SCP session (http://forum.farmanager.com/viewtopic.php?p=131130#p131130)
  • Bugfix: SCP, SFTP: verified host key is not stored (http://forum.farmanager.com/viewtopic.php?p=131079#p131079)
  • Bugfix: AV when connecting using tunnel (http://bugs.farmanager.com/view.php?id=3018)
  • Update openssl sources to 1.0.2d

https://yadi.sk/d/JFdKIO3-hmx4o FarNetBox-2.1.43_Far3_x64.7z https://yadi.sk/d/KoBPaavdhmx69 FarNetBox-2.1.43_Far3_x86.7z

Please, tell us about the result of the checking!

VictorVG avatar Jul 15 '15 20:07 VictorVG

Устранено в рамках http://bugs.farmanager.com/view.php?id=3018

Думаю что можно вслед за Мантис#3018 и #155 закрыть.

VictorVG avatar Jul 16 '15 23:07 VictorVG

Yes now nightly build (4401) works fine with 2.1.43.393 NetBox. Of course if I disable DH group exchange as before.

mmozeiko avatar Jul 16 '15 23:07 mmozeiko

Well, with the DH as the only mistake it is easier ...

VictorVG avatar Jul 17 '15 12:07 VictorVG

Мантис#3018 отработан, но с чего выплыл http://bugs.farmanager.com/view.php?id=3028 ?

VictorVG avatar Jul 17 '15 20:07 VictorVG

Судя по всему, в current'е PuTTY (0,65) http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rfc4419.html и WinSCP (5.7.5 (not released yet)) пофиксили http://winscp.net/tracker/show_bug.cgi?id=1345 Очень хочется реализации в рамках Netbox'а.

vladimirmartsul avatar Jul 21 '15 12:07 vladimirmartsul