On Wed, Dec 2, 2015 at 3:27 PM, Akshay Joshi <akshay.jo...@enterprisedb.com> wrote:
> > > On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dp...@pgadmin.org> wrote: > >> Hi >> >> On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi < >> akshay.jo...@enterprisedb.com> wrote: >> >>> Hi Dave >>> >>> I have updated the *libssh2* library with the latest available code on >>> their git repository. The new code used >>> "diffie-hellman-group-exchange-sha256" algorithm for >>> key exchange and they also fixed some memory leak. I have verified it by >>> putting the breakpoint in the libssh2 code, so when we called " >>> libssh2_session_init()" it will automatically call "static int diffie_ >>> hellman_sha256(...)" function, but I don't know exactly how to identify >>> the key exchange method (sha1 or sha256) used by the latest libssh2 library. >>> >>> I have tested the pgadmin3 after updating the libssh2 library on CentOS >>> 6.5 (64 bit) and it works fine. I have also modified the code to add >>> human readable error message returned by the library. Attached is the >>> patch file. Can you please review it and if it looks good can you please >>> commit the code. >>> >> >> I'm seeing the following build error on OS X 10.7: >> >> depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ >> ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. >> -I../pgadmin/include/libssh2 -I../pgadmin/include >> -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include >> -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include >> -DPG_SSL -DHAVE_CONNINFO_PARSE >> -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 >> -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES >> -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 >> -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o >> -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\ >> mv -f $depbase.Tpo $depbase.Po >> In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136, >> from libssh2/agent.c:41: >> ../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ >> token >> ../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ >> token >> ../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ >> token >> ../pgadmin/include/libssh2/crypto.h:78: error: expected declaration >> specifiers or ‘...’ before ‘libssh2_rsa_ctx’ >> ../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ >> token >> ../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ >> token >> ../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ >> token >> In file included from libssh2/agent.c:41: >> ../pgadmin/include/libssh2/libssh2_priv.h:240: error: >> ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function) >> ../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected >> specifier-qualifier-list before ‘_libssh2_bn_ctx’ >> ../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected >> specifier-qualifier-list before ‘_libssh2_bn’ >> ../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ >> undeclared here (not in a function) >> ../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected >> specifier-qualifier-list before ‘_libssh2_cipher_type’ >> libssh2/agent.c: In function ‘agent_connect_unix’: >> libssh2/agent.c:150: warning: assignment makes pointer from integer >> without a cast >> make[3]: *** [libssh2/agent.o] Error 1 >> make[2]: *** [all] Error 2 >> make[1]: *** [all-recursive] Error 1 >> make: *** [all] Error 2 >> > > I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to > solve the above. You need to run the configure command again. > You also needs to rerun the bootstrap script. -- Thanks & Regards, Ashesh Vashi EnterpriseDB INDIA: Enterprise PostgreSQL Company <http://www.enterprisedb.com> *http://www.linkedin.com/in/asheshvashi* <http://www.linkedin.com/in/asheshvashi> > >> >> >>> >>> Sven, how you have identified the key exchange algorithm used by >>> libssh2, is there any way to identify using fingerprint or key?? >>> >>> On Mon, Nov 30, 2015 at 6:38 PM, Dave Page <dp...@pgadmin.org> wrote: >>> >>>> Ok, thanks Akshay. >>>> >>>> -- >>>> Dave Page >>>> Blog: http://pgsnake.blogspot.com >>>> Twitter: @pgsnake >>>> >>>> EnterpriseDB UK:http://www.enterprisedb.com >>>> The Enterprise PostgreSQL Company >>>> >>>> On 30 Nov 2015, at 12:57, Akshay Joshi <akshay.jo...@enterprisedb.com> >>>> wrote: >>>> >>>> Hi Dave >>>> >>>> On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay.joshi@ >>>> enterprisedb.com> wrote: >>>> >>>>> Hi Dave >>>>> >>>>> On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dp...@pgadmin.org> wrote: >>>>> >>>>>> On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifw...@delirium.ch> >>>>>> wrote: >>>>>> >> The key exchange methods offered when opening an SSH tunnel are all >>>>>> >> SHA1 and therefore too weak: >>>>>> >> >>>>>> >> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching >>>>>> >> key exchange method found. Their offer: >>>>>> >> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1, >>>>>> >> diffie-hellman-group1-sha1 [preauth] >>>>>> > >>>>>> > Any news on this? If there's no easy way to add safer kexes, I >>>>>> suggest >>>>>> > you disable the SSH feature altogether. SHA1 is dead and IMO nobody >>>>>> > should trust a connection established with SHA1 kexes in order to >>>>>> talk >>>>>> > to databases. >>>>>> >>>>>> Akshay, you know that code best of all. How do we enable safer kexes? >>>>>> >>>>> >>>>> Today I'll look into it on priority and update accordingly. >>>>> >>>> >>>> I have found that "diffie-hellman-group-exchange-sha256" >>>> support has been added to the libssh2 code on September 24, it's not >>>> released yet. Please check https://github.com/libssh2/libssh2/pull/48 . >>>> Today I have tried to update the libssh2, but facing some compilation >>>> issues which needs to be fixed. I am working on it and then check do we >>>> need to change our logic or libssh2 will automatically used "diffie- >>>> hellman-group-exchange-sha256". >>>> >>>> >>>>> >>>>>> -- >>>>>> Dave Page >>>>>> Blog: http://pgsnake.blogspot.com >>>>>> Twitter: @pgsnake >>>>>> >>>>>> EnterpriseDB UK: http://www.enterprisedb.com >>>>>> The Enterprise PostgreSQL Company >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Akshay Joshi* >>>>> *Principal Software Engineer * >>>>> >>>>> >>>>> >>>>> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517>Mobile: +91 >>>>> 976-788-8246* >>>>> >>>> >>>> >>>> >>>> -- >>>> *Akshay Joshi* >>>> *Principal Software Engineer * >>>> >>>> >>>> >>>> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517>Mobile: +91 976-788-8246* >>>> >>>> >>> >>> >>> -- >>> *Akshay Joshi* >>> *Principal Software Engineer * >>> >>> >>> >>> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517>Mobile: +91 976-788-8246* >>> >> >> >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EnterpriseDB UK: http://www.enterprisedb.com >> The Enterprise PostgreSQL Company >> > > > > -- > *Akshay Joshi* > *Principal Software Engineer * > > > > *Phone: +91 20-3058-9517Mobile: +91 976-788-8246* >
