The hardening is one of the security profiles that comes with RHEL7.7. Either the USG or the NIST 800-171 profiles. We use those as a starting point for our configuration. On the specific RHEL7 VMs I am running, I was able fix the problem by doing two things (and both needed to be done). 1. Disable fips by removing fips=1 from grub. 2. Remove "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" from sshd_config. The RHEL6 machine has neither of those implemented, but it is a production machine and I can't play around too much with it. Going back to the RHEL7 machines, it is possible that the updated sshlib lacks some of the needed encryption libraries in 4.1.2.2, which 4.1.2.0 has them? Also, if that is the case, it seems like it isn't properly handling that condition. Thanks, Josh
On Thursday, March 26, 2020, 12:25:04 PM EDT, Ulrich Sibiller <ul...@gmx.de> wrote: Ok, what hardening measures have you taken? Uli On Thu, Mar 26, 2020 at 5:17 PM Josh G <gabmaster...@yahoo.com> wrote: > > I am using the gui to configure and I have unchecked "Enable sound support" > and "Client side printing support." There are no shared folders configured, > but I didn't see a way to explicitly disable that. Generally, I have toggled > just about any option to see if I can get it to work. I have tried different > authentication methods (password and key). I have tried MATE, XFCE, and > Internet browser. All work on 4.1.2.0, but not on 4.1.2.2. I did stand up > another VM that is RHEL7 minimal install with just the hardening. It fails > as well clearly has to be something about the hardening. > Any other ideas else that I should look at? > Thanks, > Josh > > On Thursday, March 26, 2020, 7:13:28 AM EDT, Ulrich Sibiller <ul...@gmx.de> > wrote: > > Does the situation improve if you disable audio, printer and file support? > > Uli > > On Thu, Mar 26, 2020 at 1:39 AM Josh G <gabmaster...@yahoo.com> wrote: > > > > I stood up some test machines to figure out the issue. I have the issue on > > a clean RHEL7 machine with lots of packages and some security hardening > > done on it. It does not happen on an Ubuntu MATE install or on a RHEL7 > > minimal install without hardening. I need to track down the issue to see > > if it is something that might be able to be fixed. I tried simple things > > like reverting the sshd_config and setting selinux to permissive. While > > running with --debug and --libssd-debug, there is nothing obvious. With > > --debug, the last statement is a mention that the ssh port is 22 (right > > before it calls ssh_connect, I think). With --debug and --libssh-debug, > > the last statement seems like what I would consider benign ssh message > > passing. There is really not much of interest. The only warning that I > > see at all is that /etc/ssh/ssh_known_hosts doesn't exist. > > > > Does anyone have any ideas of what I should look at? It has to be > > something that changed in 4.1.2.2 over 4.1.2.0, since the latter still > > functions OK. > > > > Thanks, > > Josh > > > > > > On Monday, March 2, 2020, 4:31:46 PM EST, Josh G <gabmaster...@yahoo.com> > > wrote: > > > > I just installed the Windows client version 4.1.2.2. It crashes as soon as > > it tries to make the SSH connection. I tried debug and the debug window > > closes immediately as well. Is there a log somewhere? It was tried on two > > different machines that have different OSs and virus protection. 4.1.2.0 > > works fine. It doesn't crash when attempting to connect to a computer that > > isn't running SSH (just times out). It does crash when trying to connect > > to that same computer by tunneling through another machine that is running > > SSH. If I try to connect to a new machine, it crashes as soon as I accept > > the host key. If you put in a wrong password, it still crashes. Thus, > > there is never a completed SSH connection. Is there anything I can look at > > or do? I was hoping that 4.1.2.2 would fix some of the annoyances that > > prevents me from deploying X2Go to other users. > > Thanks, > > Josh > > > _______________________________________________ > > x2go-user mailing list > > x2go-user@lists.x2go.org > > https://lists.x2go.org/listinfo/x2go-user _______________________________________________ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
