I believe you should be able to just update the library and have things work, without recompiling Guacamole. The libssh2 project is pretty good about not breaking the API or ABI. Just make sure that the older version is fully uninstalled, and once the new version is installed maybe double-check using ldd that libguac-client-ssh.so still links against libssh2.
- Mike On Feb 6, 2018 10:19, <harry.dev...@faa.gov> wrote: > I checked with Red Hat, and their latest released version is 1.4.3. They > made it seem like they are not currently going to release anything newer, > but I’m trying to get them to give me a time frame. We can’t SSH to FIPS > 140-2 compliant machines via guacamole without it. When I get > libssh2-devel resolved/updated, would I have to recompile guacamole? > > > > Thanks, > > Harry > > > > *From:* Mike Jumper [mailto:mike.jum...@guac-dev.org] > *Sent:* Wednesday, January 24, 2018 5:08 PM > *To:* user@guacamole.apache.org > *Subject:* Re: Connection failures > > > > On Wed, Jan 24, 2018 at 2:02 PM, Mike Jumper <mike.jum...@guac-dev.org> > wrote: > > On Wed, Jan 24, 2018 at 11:49 AM, <harry.dev...@faa.gov> wrote: > > Did some more debugging. When we try to connect to a server that is FIPS > 140-2 compliant, here’s what the algorithms that are expected are: > > > > When I try to connect via a Guacamole SSH session, here are the algorithms > being sent: > > debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-n > istp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha > 256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha > 512,diffie-hellman-group14-sha256,ext-info-c > > debug2: host key algorithms: ecdsa-sha2-nistp256-cert-...@openssh.com, > ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa- > sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com, > ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com > ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa- > sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss > > debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-c > tr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se > > debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-c > tr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se > > debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512, > hmac-sha1-...@openssh.com,hmac-sha2-256-...@openssh.com, > hmac-sha2-512-...@openssh.com > > debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512, > hmac-sha1-...@openssh.com,hmac-sha2-256-...@openssh.com, > hmac-sha2-512-...@openssh.com > > > > Jan 24 14:42:38 carts sshd[6890]: FIPS mode initialized > > Jan 24 14:42:38 carts sshd[6890]: Unable to negotiate with 172.26.170.72 > port 57948: no matching key exchange method found. Their offer: > diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > [preauth] > > > > Looks like, to me, that Guacamole isn’t sending the proper algorithms or > ciphers in its SSH request. Not sure if the issue is in Guacamole itself > or in libssh2, which is 1.4.3 at the moment. > > > > > > The connection handshake for SSH connections (key exchange, ciphers, etc.) > is actually dictated internally by libssh2, so that much is out of > Guacamole's control. Checking the current libssh2 source, the key exchange > methods reported as rejected above are the only key exchange methods > supported by libssh2: > > > > https://github.com/libssh2/libssh2/blob/bcd492163b71608f8e46 > cdc864741d6c566ce9bc/src/kex.c#L1777-L1783 > > > > > > Correction: the version of libssh2 which you are using, 1.4.3, lacks > support for "diffie-hellman-group-exchange-sha256": > > > > https://github.com/libssh2/libssh2/blob/f1cfa55b6064ba18fc00 > 05713ed790da579361b5/src/kex.c#L939-L944 > > > > It was added via: > > > > https://github.com/libssh2/libssh2/commit/fc4a969a0512e226de > 9b821496d20b9ddf53b741 > > > > which is apparently part of their 1.7.0 and 1.8.0 releases. I have not > checked whether those version support the ciphers and MACs that your server > requires, but updating to 1.7.0 or 1.8.0 should get you further in the > process. What you're looking for is impossible to achieve with libssh2 > 1.4.3. > > > > - Mike > > >
