Re: [X2Go-User] kex error

[Klaus Fuerstberger]

Mihai Moldovan schrieb am 29.01.2016 um 18:38:
> Note that libssh versions from 0.5.3 onwards also support the group14-sha1 key
> exchange algorithm. Debian Wheezy is shipping 0.5.4, so that would be covered.
> Unless you need even older client to connect to the server (for instance 
> Ubuntu
> Precise), I suggest removing "diffie-hellman-group1-sha1" from the 
> KexAlgorithms
> key again, because "diffie-hellman-group14-sha1" - which is also in the list -
> should be enough to let X2Go Client (via libssh) connect to the server.

i can confirm that "diffie-hellman-group1-sha1" ist not necessary with
older x2go clients and "diffie-hellman-group14-sha1" is enough. Thanks
for the hint!

Regards
Klaus
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] kex error

[Klaus Fuerstberger]

Stefan Baur schrieb am 29.01.2016 um 18:16:
> which ends up in two lines in e-mail, due to the enforced line
> break at the blank. ;-)

Haha, sure Stefan :-)
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] kex error

[Mihai Moldovan]

On 29.01.2016 05:37 PM, KARL A. WOELFER wrote:
> Thank you Klaus - I added the workaround, on the Debian 8 x2go server 
> workstation,
> but now all ssh connections are refused.
> 
> x2go client says "Connection refused".
> 
> Is there something more to do?

"Connection refused" means that the SSH server is not running.

Please make sure it is started.

Maybe it was unable to parse the modified configuration file and fails starting
as a consequence.



Mihai





signature.asc
Description: OpenPGP digital signature
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] kex error

[KARL A. WOELFER]

Thank you for the quick response Stefan. 
I did pursue Option #2, but only adding a KexAlgorithms section to 
/etc/ssh/sshd_config on the server.

Here is my sshd_config (with KexAlgorithms commented out, to re-enable regular 
ssh connections)

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

#  KexAlgorithms 
#  
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


Thank you again for your time and expertise.
- Karl

De : x2go-user-boun...@lists.x2go.org <x2go-user-boun...@lists.x2go.org> de la 
part de Stefan Baur <x2go-m...@baur-itcs.de>
Envoyé : vendredi 29 janvier 2016 08:50
À : x2go-user@lists.x2go.org
Objet : Re: [X2Go-User] kex error

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Am 29.01.2016 um 17:37 schrieb KARL A. WOELFER:
> Thank you Klaus - I added the workaround, on the Debian 8 x2go
> server workstation, but now all ssh connections are refused.
>
> x2go client says "Connection refused".
>
> Is there something more to do?

I see two options/workarounds listed at
http://permalink.gmane.org/gmane.linux.terminal-server.x2go.user/2368
 - I'm assuming you went for the second option, is that correct?

If so, a copy of your /etc/ssh/sshd_config would greatly aid in
helping you resolve this.

- -Stefan


- --
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWq5hZAAoJEG7d9BjNvlEZaBoIAJQKmP8EqhtxqF1d1A09YCfq
KHn8zZ2pE7UPeQAaTk/VTBSk2UPruN1yqAIU3v8nZsYgSGlL5CsS+T+RhByf6ND1
vRVvfvRJ2a4y68EeXHRz3E5OgD7XsWwNtIh4gqbbQj+bM9AqGe+Ho226Zb6ZyHZ2
VWH4Pc8qXI5ftybJTboMNE0U9sIM5zs0jkDYWNWvkBXszXmqUaekN/rPk256q76Y
eT0VsLN1AptQYII0xwgHYF7pMrLfUERJ51FO81Zwj+l+J0mye6E08vAAE5plflXE
ds2YJHpQbaJQLIDunWX34fx0lqSlw9/WMEONtpxvGbrZBhpnHb4R0Wp/EmJ7Lq0=
=tjf8
-END PGP SIGNATURE-
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] kex error

[Mihai Moldovan]

On 29.01.2016 06:07 PM, KARL A. WOELFER wrote:
> Thanks Mihai - 
> 
> Great point - I will check the ssh server. 
> Here is the sshd_config on the server (I commented out the KexAlgorithms 
> section, to re-enable normal ssh) :
> [...]
> #  KexAlgorithms 
> #  
> curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

You must NOT write this on two lines. This MUST be on one line.

This is the reason sshd did not start.



Mihai



signature.asc
Description: OpenPGP digital signature
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] kex error

[Klaus Fuerstberger]

KARL A. WOELFER schrieb am 29.01.2016 um 18:03:
> #  KexAlgorithms 
> #  
> curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Option and value should be on one line.

Here is my working entry:

KexAlgorithms
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Regards
Klaus
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] kex error

[Stefan Baur]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Am 29.01.2016 um 18:14 schrieb Klaus Fuerstberger:
> Option and value should be on one line.
> 
> Here is my working entry:
> 
> KexAlgorithms 
> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

...
> 
which ends up in two lines in e-mail, due to the enforced line
break at the blank. ;-)

- -Stefan

- -- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWq55WAAoJEG7d9BjNvlEZUygH/j/4EPT/xN5M6/G0KjTNmPQ6
LBepYhFcUc7eSGJToM1EX7Pi1qa6kUuvWkQf0SJVdp5RI08H9COSSvULlqCZlc77
CRZLhEkYC7ngbdCaYPr6GQZkyBmbCinKo5udFozySLOhCv1LY5NC9+lggQpHcUcP
TJdM/FhvDF7N9dVL/A0AKAGULPjduyThBdbUOo8zJZ91hxdQ+Gx3MCIhYZIaB97V
dQQlm3WTQwAHNaB6NJSQUrXeawEzl8KKCvAyk11LbS5VGT0XdPl+NDWbbYZh5hTS
5cIDyDdzmmMh0+bRie0X1BnmydDEg/tvO4hMz8bUdjQCm2VrFg8PhpZLzUpBj1g=
=f/aL
-END PGP SIGNATURE-
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] kex error

[Mihai Moldovan]

On 29.01.2016 06:13 PM, KARL A. WOELFER wrote:
> Mihai - 
> 
> Your tip was spot - on. Everything looks to be working now, thank you so much 
> for the troubleshooting.
> Thanks to everyone for their support.

As a general piece of advise: all lines in sshd_config (and ssh_config) are
key-value pairs. If you don't specify a value for a key, sshd will either error
out while parsing its config file during startup or assume an empty value for
the key. Then, it will definitely error out while parsing the next line because
it found an unknown key.


Note that libssh versions from 0.5.3 onwards also support the group14-sha1 key
exchange algorithm. Debian Wheezy is shipping 0.5.4, so that would be covered.
Unless you need even older client to connect to the server (for instance Ubuntu
Precise), I suggest removing "diffie-hellman-group1-sha1" from the KexAlgorithms
key again, because "diffie-hellman-group14-sha1" - which is also in the list -
should be enough to let X2Go Client (via libssh) connect to the server.

Try setting KexAlgorithms to (I'll only post the value here, hope you can deduce
the full line in sshd_config from my previous explanation -- and make sure that
it's one line only, i.e., just copy-pasting from my mail may split it onto
several lines):

curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Restart sshd and see if X2Go Client can connect.

If it does not, try this:

curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

Restart sshd, X2Go Client connect.

If it still does not, you'll need to use the original value, i.e.:

curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1



Mihai





signature.asc
Description: OpenPGP digital signature
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user

[X2Go-User] kex error RE: Debian 8.3 - packages cannot be installed

[KARL A. WOELFER]

> maybe you enabled security.debian.org, but not ftp.debian.org? 
that was indeed what prevented installation, thank you !

Now, is there some new configuration with keys?

My previous X2go clients (V4.0.3.0, running on Debian 7) cannot connect to this 
new server, giving the following.

kex error : did not find one of algos diffie-hellman-group1-sha1 in list 
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
 for kex algos

Thank you again for your time and expertise.
- Karl

De : x2go-user-boun...@lists.x2go.org  de la 
part de Stefan Baur 
Envoyé : jeudi 28 janvier 2016 12:27
À : x2go-user@lists.x2go.org
Objet : Re: [X2Go-User] Debian 8.3 - packages cannot be installed

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Am 28.01.2016 um 20:51 schrieb KARL A. WOELFER:

> I am not able to install x2go on the latest Debian 8.3 (amd64). Is
> this a known problem?

Unable to reproduce. Works just fine here.

You did run apt-get update before running apt-get install x2goserver,
right?

If not, please do so, and try again.

If you did, or if the problem persists, please post the content of
your sources.list.

Your error messages might hint at missing Debian repositories (maybe
you enabled security.debian.org, but not ftp.debian.org? - your
sources.list will tell us more).

Kind Regards,
Stefan Baur

- --
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWqnm6AAoJEG7d9BjNvlEZGp4H/38Ea+UGNPQhxjqeYmxPvoyG
Z2I701XclUNIts7PdKsvFPbkiuVRCNrPsrU7o0aW8xD0quX23oUCAu29XWcrOZNa
mRGmfjv1QTsVHVqJ3+WCl8yQfs9CmtUY23uhkpEg6TjjnG6otWMtGONRxmBJDeZo
9ChX2fSrZEjAVc9ICS6aOHQpQCXSv1Mwr+edDQ4dY7y0G/vN6amBc9MSoFFdMTfX
Qeih8k3gbnO8/Vg5CLVx0wuf7/S5ugzClWcaa2vWUXVM/LTwzPu3nK9cMabo6mAp
3zaK4KXjdpjLwnA1XemJ8zLx2WhC5XTFwfYFq7FrYukDg2niHiAT/R5VMsZdzdo=
=JbYW
-END PGP SIGNATURE-
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user
___
x2go-user mailing list
x2go-user@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-user