Komodo SSH client using weak algos

[01000101]

Short Summary

When using remote servers (SFTP, SCP), the Komodo SSH client only sends weak, outdated HMAC algorithm support to the server. If the SSH server is using modern, secure algorithms and rejects outdated ones, the connection will fail.

Steps to Reproduce

Using Komodo IDE's "server" tab in the preferences, create a connection to an SSH service that does not accept weak HMAC (SHA1, MD5).

Expected results

A good, secure connection

Actual results

No connection

Platform Information

Komodo Edit or IDE? Komodo IDE Komodo Version? 10.1.1 build 89474 _Operating System (and version)? Linux x8664, Fedora 23

Additional Information

Komodo sends the following HMAC support to the server:

• hmac-sha1
• hmac-sha1-96
• hmac-md5
• hmac-md5-96

A secure server is not going to accept those and is likely looking for the following:

• hmac-sha2-512
• hmac-sha2-256

Actual error message: fatal: no matching mac found: client hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 server hmac-sha2-512,hmac-sha2-256 [preauth]

For completeness, here's the algorithms supported by my SSH service. I've written many security articles and confirmed with many secure professionals that this is a modern, secure, and suggested SSH server configuration and Komodo should be supporting these algorithms (even if it doesn't remove support for weaker ones).

# Message Authentication Code (Hash, only SHA2-512)
#  SHA-256 included for compat with PuTTY-WinCrypt clients
MACs hmac-sha2-512,hmac-sha2-256
# Ciphers (only secure AES-256)
Ciphers aes256-cbc,aes256-ctr
# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
#  DH-SHA-256 included for compat with PuTTY-WinCrypt clients
KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

[01000101]

It looks like this is fixed in commit https://github.com/Komodo/KomodoEdit/commit/2776d63b100b7215976e958857d1db205fe0fbf6 but not rolled into Komodo IDE yet.

[Defman21]

It's probably doesn't, because of Python 2.7. I could test it if you want, I just need a very secure server (or an account on a very secure server :))

[01000101]

I'm not sure what Python 2.7 has to do with this. This is a Paramiko configuration issue.

[Defman21]

Ohh, I thought your issue is related to https://github.com/Komodo/KomodoEdit/issues/520 https://github.com/Komodo/KomodoEdit/issues/520#issuecomment-248384535

Note the commit you linked to has been integrated from the Komodo/KomodoIDE master branch, so it should be there.

[01000101]

Ah, no, but that also would be nice :) If anyone does want to set up a test SSH service, here's the config I use and serves as a good starting point. https://joscor.com/blog/hardening-openssh-server-ubuntu-14-04/

[Defman21]

Or, if the milestone is correct, the change will be in a Komodo 11 build. I'm going to setup a server following the guides in your link and test it with my Komodo IDE release and built from master Komodo Edit.

[Defman21]

Komodo IDE gives me:

Oct 16 11:49:17 defman21 sshd[2869]: fatal: ssh_dispatch_run_fatal: Connection to <hidden>: no matching MAC found [preauth]

Gonna try a Komodo Edit build.

[Defman21]

Custom build: works fine!

Oct 16 11:54:58 defman21 sshd[2883]: Accepted publickey for root from <hidden> port 38748 ssh2: RSA SHA256:<hidden>

(yeah, root 😛 )

The issue will be resolved in Komodo 11.

[01000101]

Great! Thanks for being so quick about testing.

[Naatan]

Thanks for the follow up @Defman21 :) Closing this in favour of #252.

[01000101]

OK? I'm not sure why this is closed in favor of a vaguely-related ticket that won't fix this issue.

[01000101]

@Naatan Why did you reference that ticket as the duplicate? Was it a mistake?

[Defman21]

Since the ticket Nathan linked to is fixed by upgrading Paramiko, this has been closed in favor of it.

[Naatan]

@01000101 The solution to #252 is the same as to this one, even though the problem is slightly different.