Diffie-Hellman group exchange KEX is obsolete

[mmozeiko]

OpenSSH 6.9 version have disabled obsolete form of KEX "Diffie-Hellman group exchange" algorithm (source and this). sshd log shows "sshd error Hm, kex protocol error: type 30 seq 1 [preauth]" message when NetBox tries to connect to it.

Using NetBox to connect such server simply hangs forever. One solution is to move "Diffie-Hellman group exchange" KEX to last position in "Algorithm selection policy" setting. Preferably "ECDH key exchange" like in putty should be implemented.

[VictorVG]

Please, temporary disable this options. WinSCP based old PuTTY code and can't full support new OpenSSL 1.02d changes. Yesterday I watched with a time delay after the OpenSSL ToolKit output supports his version of WinSCP and I get it about a week, sometimes longer, and in the new OpenSSL v1.0.2d eliminate the risk of the vulnerability CVE-2015-1793 (http://www.openssl.org/news/secadv_20150709.txt) which is not eliminated in PuTTY / WinSCP.

[mmozeiko]

I'm pretty sure this has nothing to do with OpenSSL and CVE-2015-1793. This is OpenSSH change that happened in 6.9 version. Here's the same problem reported on WinSCP forum: https://winscp.net/forum/viewtopic.php?t=15626

[VictorVG]

Yes, I've seen it since yesterday a similar question was asked in http://forum.ru-board.com/topic.cgi?forum=5&topic=31718&start=7040#2 and one of the solutions found - update Far. In fact, it would be necessary to correct the WinSCP and PuTTY, and NetBox is bypassing the mistakes of others that we can not guarantee that they will not get out again later.

[mmozeiko]

When I try to update Far to latest nightly build (4401) - it crashes when connecting to scp/sftp server:

Exception:   Access violation (write to 0x00007FFFA9FA4C48)
Address:     0x00007FFFA9F04393
Function:    ProcessPanelInputW

Not sure if needed, but I tried deleting pluginchache64/32.db - it doesn't help. Still a crash. Currently I'm using 4378 build which works fine if I move down DH group exchange in Algorithm selection policy.

[VictorVG]

This error is known - http://bugs.farmanager.com/view.php?id=3018 and naturally corrected.

[VictorVG]

Please, check v2.1.43.392 - links - https://github.com/michaellukashov/Far-NetBox/issues/155#issuecomment-120160217

[mmozeiko]

With that 4401 build doesn't crash on connect. I still need to disable DH group exchange KEX. But at then end of authentication it shows "Incorrect or damaged C:\Program Files\Far Manager\Plugins\NetBox\NetBoxEng.lng Message 2106 not found" error and exits connection.

[VictorVG]

SHA-256 for NetBoxEng.lng and NetBoxRus.lng is:

a2a958b7d13fe50105aa9ee1faabe7a74e72e7331c2b1bafc6de6771003bfa9c NetBoxEng.lng 2e21bfc8169d2d0feddee7284e73038c1623f5d251776521c02930523f8a200c NetBoxRus.lng

.lng files not changes after v2.1.43.390. Please, check local copy...

[mmozeiko]

Yes, NetBoxEng.lng has correct checksum (a2a9...fa9c). Replacing it with NetboxRus.lng gives me same error. If it helps, here's the output from NetBox log if I enable "Debug 2" level: http://pastebin.com/gjMfRnmh

[VictorVG]

Yes, it seems really language modules is to look for improvements.

[VictorVG]

Added - http://forum.farmanager.com/viewtopic.php?p=131198#p131198 some problems...

[VictorVG]

For testing:

NetBox 2.1.43.393 15.07.2015

• Bugfix: Message 2106 not found (http://forum.farmanager.com/viewtopic.php?p=131198#p131198)
• Bugfix: AV trying to open SCP session (http://forum.farmanager.com/viewtopic.php?p=131130#p131130)
• Bugfix: SCP, SFTP: verified host key is not stored (http://forum.farmanager.com/viewtopic.php?p=131079#p131079)
• Bugfix: AV when connecting using tunnel (http://bugs.farmanager.com/view.php?id=3018)
• Update openssl sources to 1.0.2d

https://yadi.sk/d/JFdKIO3-hmx4o FarNetBox-2.1.43_Far3_x64.7z https://yadi.sk/d/KoBPaavdhmx69 FarNetBox-2.1.43_Far3_x86.7z

Please, tell us about the result of the checking!

[VictorVG]

Устранено в рамках http://bugs.farmanager.com/view.php?id=3018

Думаю что можно вслед за Мантис#3018 и #155 закрыть.

[mmozeiko]

Yes now nightly build (4401) works fine with 2.1.43.393 NetBox. Of course if I disable DH group exchange as before.

[VictorVG]

Well, with the DH as the only mistake it is easier ...

[VictorVG]

Мантис#3018 отработан, но с чего выплыл http://bugs.farmanager.com/view.php?id=3028 ?

[vladimirmartsul]

Судя по всему, в current'е PuTTY (0,65) http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rfc4419.html и WinSCP (5.7.5 (not released yet)) пофиксили http://winscp.net/tracker/show_bug.cgi?id=1345 Очень хочется реализации в рамках Netbox'а.