Thread: SSH tunnel key exchange methods

SSH tunnel key exchange methods

From

Sven

Date:

10 November 2015, 09:10:23

Hi

The key exchange methods offered when opening an SSH tunnel are all 
SHA1 and therefore too weak:

[sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching 
key exchange method found. Their offer:
diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
diffie-hellman-group1-sha1 [preauth]

Is it possible to update pgadmin for safer kexes? IMHO, at least
diffie-hellman-group-exchange-sha256 would be nice, better even
curve25519-sha256@libssh.org as well.

Thanks for considering this!

Re: SSH tunnel key exchange methods

From

Dave Page

Date:

10 November 2015, 10:11:11

Akshay;

Is this something that's fixable in our code, or do we need to update
libssh2, or...?

On Tue, Nov 10, 2015 at 8:39 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
> Hi
>
> The key exchange methods offered when opening an SSH tunnel are all
> SHA1 and therefore too weak:
>
> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
> key exchange method found. Their offer:
> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
> diffie-hellman-group1-sha1 [preauth]
>
> Is it possible to update pgadmin for safer kexes? IMHO, at least
> diffie-hellman-group-exchange-sha256 would be nice, better even
> curve25519-sha256@libssh.org as well.
>
> Thanks for considering this!
>
>
>
> --
> Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgadmin-support



-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: SSH tunnel key exchange methods

From

Sven

Date:

27 November 2015, 09:24:16

> The key exchange methods offered when opening an SSH tunnel are all 
> SHA1 and therefore too weak:
>
> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching 
> key exchange method found. Their offer:
> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
> diffie-hellman-group1-sha1 [preauth]

Any news on this? If there's no easy way to add safer kexes, I suggest 
you disable the SSH feature altogether. SHA1 is dead and IMO nobody 
should trust a connection established with SHA1 kexes in order to talk 
to databases.

Re: SSH tunnel key exchange methods

From

Dave Page

Date:

27 November 2015, 09:31:53

On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody
> should trust a connection established with SHA1 kexes in order to talk
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes?

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: SSH tunnel key exchange methods

From

Akshay Joshi

Date:

30 November 2015, 05:11:39

Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org> wrote:

On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody
> should trust a connection established with SHA1 kexes in order to talk
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes?

Today I'll look into it on priority and update accordingly.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Akshay Joshi

Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

Re: SSH tunnel key exchange methods

From

Akshay Joshi

Date:

30 November 2015, 12:57:54

Hi Dave

On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org> wrote:
On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody
> should trust a connection established with SHA1 kexes in order to talk
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes?

Today I'll look into it on priority and update accordingly.

I have found that "diffie-hellman-group-exchange-sha256" support has been added to the libssh2 code on September 24, it's not released yet. Please check https://github.com/libssh2/libssh2/pull/48 . Today I have tried to update the libssh2, but facing some compilation issues which needs to be fixed. I am working on it and then check do we need to change our logic or libssh2 will automatically used "diffie-hellman-group-exchange-sha256".

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

Akshay Joshi

Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

Re: SSH tunnel key exchange methods

From

Dave Page

Date:

30 November 2015, 13:08:47

Ok, thanks Akshay.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 30 Nov 2015, at 12:57, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave

On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org> wrote:
On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody
> should trust a connection established with SHA1 kexes in order to talk
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes?

Today I'll look into it on priority and update accordingly.

I have found that "diffie-hellman-group-exchange-sha256" support has been added to the libssh2 code on September 24, it's not released yet. Please check https://github.com/libssh2/libssh2/pull/48 . Today I have tried to update the libssh2, but facing some compilation issues which needs to be fixed. I am working on it and then check do we need to change our logic or libssh2 will automatically used "diffie-hellman-group-exchange-sha256".

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

Re: SSH tunnel key exchange methods

From

Dave Page

Date:

02 December 2015, 09:50:49

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\

ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\

mv -f $depbase.Tpo $depbase.Po

In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,

from libssh2/agent.c:41:

../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’

../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token

../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token

In file included from libssh2/agent.c:41:

../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)

../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’

../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’

../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)

../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’

libssh2/agent.c: In function ‘agent_connect_unix’:

libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast

make[3]: *** [libssh2/agent.o] Error 1

make[2]: *** [all] Error 2

make[1]: *** [all-recursive] Error 1

make: *** [all] Error 2

Sven, how you have identified the key exchange algorithm used by libssh2, is there any way to identify using fingerprint or key??

On Mon, Nov 30, 2015 at 6:38 PM, Dave Page <dpage@pgadmin.org> wrote:
Ok, thanks Akshay.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 30 Nov 2015, at 12:57, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave

On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org> wrote:
On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody
> should trust a connection established with SHA1 kexes in order to talk
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes?

Today I'll look into it on priority and update accordingly.

I have found that "diffie-hellman-group-exchange-sha256" support has been added to the libssh2 code on September 24, it's not released yet. Please check https://github.com/libssh2/libssh2/pull/48 . Today I have tried to update the libssh2, but facing some compilation issues which needs to be fixed. I am working on it and then check do we need to change our logic or libssh2 will automatically used "diffie-hellman-group-exchange-sha256".

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: SSH tunnel key exchange methods

From

Akshay Joshi

Date:

02 December 2015, 09:58:00

On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dpage@pgadmin.org> wrote:

Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,
from libssh2/agent.c:41:
../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’
../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token
In file included from libssh2/agent.c:41:
../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’
../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’
../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’
libssh2/agent.c: In function ‘agent_connect_unix’:
libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast
make[3]: *** [libssh2/agent.o] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to solve the above. You need to run the configure command again.

Sven, how you have identified the key exchange algorithm used by libssh2, is there any way to identify using fingerprint or key??

On Mon, Nov 30, 2015 at 6:38 PM, Dave Page <dpage@pgadmin.org> wrote:
Ok, thanks Akshay.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 30 Nov 2015, at 12:57, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave

On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org> wrote:
On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody
> should trust a connection established with SHA1 kexes in order to talk
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes?

Today I'll look into it on priority and update accordingly.

I have found that "diffie-hellman-group-exchange-sha256" support has been added to the libssh2 code on September 24, it's not released yet. Please check https://github.com/libssh2/libssh2/pull/48 . Today I have tried to update the libssh2, but facing some compilation issues which needs to be fixed. I am working on it and then check do we need to change our logic or libssh2 will automatically used "diffie-hellman-group-exchange-sha256".

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Akshay Joshi

Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

Re: SSH tunnel key exchange methods

From

Ashesh Vashi

Date:

02 December 2015, 09:59:49

On Wed, Dec 2, 2015 at 3:27 PM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,
from libssh2/agent.c:41:
../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’
../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token
In file included from libssh2/agent.c:41:
../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’
../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’
../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’
libssh2/agent.c: In function ‘agent_connect_unix’:
libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast
make[3]: *** [libssh2/agent.o] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to solve the above. You need to run the configure command again.

You also needs to rerun the bootstrap script.

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company

http://www.linkedin.com/in/asheshvashi

Sven, how you have identified the key exchange algorithm used by libssh2, is there any way to identify using fingerprint or key??

On Mon, Nov 30, 2015 at 6:38 PM, Dave Page <dpage@pgadmin.org> wrote:
Ok, thanks Akshay.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK:http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 30 Nov 2015, at 12:57, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave

On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage@pgadmin.org> wrote:
On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e@delirium.ch> wrote:
>> The key exchange methods offered when opening an SSH tunnel are all
>> SHA1 and therefore too weak:
>>
>> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>> key exchange method found. Their offer:
>> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>> diffie-hellman-group1-sha1 [preauth]
>
> Any news on this? If there's no easy way to add safer kexes, I suggest
> you disable the SSH feature altogether. SHA1 is dead and IMO nobody
> should trust a connection established with SHA1 kexes in order to talk
> to databases.

Akshay, you know that code best of all. How do we enable safer kexes?

Today I'll look into it on priority and update accordingly.

I have found that "diffie-hellman-group-exchange-sha256" support has been added to the libssh2 code on September 24, it's not released yet. Please check https://github.com/libssh2/libssh2/pull/48 . Today I have tried to update the libssh2, but facing some compilation issues which needs to be fixed. I am working on it and then check do we need to change our logic or libssh2 will automatically used "diffie-hellman-group-exchange-sha256".

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Akshay Joshi
Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

Re: SSH tunnel key exchange methods

From

Dave Page

Date:

02 December 2015, 13:04:22

On Wed, Dec 2, 2015 at 9:59 AM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:27 PM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,
from libssh2/agent.c:41:
../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’
../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token
In file included from libssh2/agent.c:41:
../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’
../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’
../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’
libssh2/agent.c: In function ‘agent_connect_unix’:
libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast
make[3]: *** [libssh2/agent.o] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to solve the above. You need to run the configure command again.
You also needs to rerun the bootstrap script.

OK, it works for me on Windows and OSX. Ashesh, can you give it a review/commit please?

Thanks.

Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: SSH tunnel key exchange methods

From

Ashesh Vashi

Date:

02 December 2015, 13:06:26

On Wed, Dec 2, 2015 at 6:34 PM, Dave Page <dpage@pgadmin.org> wrote:

On Wed, Dec 2, 2015 at 9:59 AM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:27 PM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,
from libssh2/agent.c:41:
../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’
../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token
In file included from libssh2/agent.c:41:
../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’
../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’
../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’
libssh2/agent.c: In function ‘agent_connect_unix’:
libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast
make[3]: *** [libssh2/agent.o] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to solve the above. You need to run the configure command again.
You also needs to rerun the bootstrap script.

OK, it works for me on Windows and OSX. Ashesh, can you give it a review/commit please?

I think - it has been merged with the development version of libssh2.

Akshay - can you please mention the commit-id and repository url from which it has been merged with.

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company

http://www.linkedin.com/in/asheshvashi

Thanks.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: SSH tunnel key exchange methods

From

Akshay Joshi

Date:

02 December 2015, 13:22:17

On Wed, Dec 2, 2015 at 6:35 PM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 6:34 PM, Dave Page <dpage@pgadmin.org> wrote:

On Wed, Dec 2, 2015 at 9:59 AM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:27 PM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,
from libssh2/agent.c:41:
../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’
../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token
In file included from libssh2/agent.c:41:
../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’
../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’
../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’
libssh2/agent.c: In function ‘agent_connect_unix’:
libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast
make[3]: *** [libssh2/agent.o] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to solve the above. You need to run the configure command again.
You also needs to rerun the bootstrap script.

OK, it works for me on Windows and OSX. Ashesh, can you give it a review/commit please?
I think - it has been merged with the development version of libssh2.
Akshay - can you please mention the commit-id and repository url from which it has been merged with.

git@github.com:libssh2/libssh2.git

commit 51dcded3ebd6bde7d6fd847ed6461da4a4522506

--
Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company

http://www.linkedin.com/in/asheshvashi

Thanks.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Akshay Joshi

Principal Software Engineer

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

SSH tunnel key exchange methods

From

Adam Pearson

Date:

02 December 2015, 13:58:08

<div class="WordSection1"><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Helloall,</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">               I’ve encountered an interesting issue with
PGAdminIII and usage of the dblink_connect_u function.</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">WhenI run the SQL first time around it works, query returns
resultsfine, second time around it fails with the below error message.</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Theconnection to the database looks like this, with a
normalselect into a temp table.</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">SELECTdblink_connect_u('user_database',
'dbname=user_database_goes_here');</span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">--normalselect statement here into temp table</span><p
class="MsoNormal"><spanlang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><p
class="MsoNormal"><spanlang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">SELECT
dblink_disconnect('user_database');</span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">IfI close down this SQL window, and open up another one on
thesame database the entire query works fine first time around, then fails on the second time.  I still have connection
tothe database since can query the other tables in the actual DB I’m connected to.</span><p class="MsoNormal"><span
lang="EN-US"style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Anyideas?</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thanks,</span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">AdamPearson</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><pclass="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">ERROR: function dblink_disconnect(unknown) does not
exist</span><pclass="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">LINE 1:
SELECTdblink_disconnect('vivus_es');</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">              ^</span><p class="MsoNormal"><span
lang="EN-US"style="font-size:11.0pt;font-family:"Calibri","sans-serif"">HINT:  No function matches the given name and
argumenttypes. You might need to add explicit type casts.</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">**********Error **********</span><p class="MsoNormal"><span
lang="EN-US"style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">ERROR:function dblink_disconnect(unknown) does not
exist</span><pclass="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">SQL
state:42883</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Hint:No function matches the given name and argument types.
Youmight need to add explicit type casts.</span><p class="MsoNormal"><span lang="EN-US"
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Character:8</span></div>

Re: SSH tunnel key exchange methods

From

svoop_6cedifwf9e@delirium.ch

Date:

02 December 2015, 17:16:32

> Sven, how you have identified the key exchange algorithm used by libssh2, is there any way to identify using
fingerprintor key?? 

I'm looking at what sshd logs on the server end. Or you start sshd with the "-d" argument which logs to stdout and
preventssshd from being backgrounded. 

You could also harden sshd by adding the following to sshd_config (don't forget to restart the deamon afterwards):

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

Since SHA1 is not listed as KexAlgorithms, if the connection is still possible, the client must have used SHA256.

Cheers, -sven

Re: SSH tunnel key exchange methods

From

Ashesh Vashi

Date:

08 December 2015, 13:05:52

Dave,

Patch looks good to me.

But - Should we consider this as a bug fix, and commit it for 1.22.0 release?

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company

http://www.linkedin.com/in/asheshvashi

On Wed, Dec 2, 2015 at 6:34 PM, Dave Page <dpage@pgadmin.org> wrote:

On Wed, Dec 2, 2015 at 9:59 AM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:27 PM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,
from libssh2/agent.c:41:
../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’
../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token
In file included from libssh2/agent.c:41:
../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’
../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’
../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’
libssh2/agent.c: In function ‘agent_connect_unix’:
libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast
make[3]: *** [libssh2/agent.o] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to solve the above. You need to run the configure command again.
You also needs to rerun the bootstrap script.

OK, it works for me on Windows and OSX. Ashesh, can you give it a review/commit please?

Thanks.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: SSH tunnel key exchange methods

From

Dave Page

Date:

08 December 2015, 13:06:57

Yes, I think so.

On Tue, Dec 8, 2015 at 1:05 PM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

Dave,

Patch looks good to me.
But - Should we consider this as a bug fix, and commit it for 1.22.0 release?

--
Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company

http://www.linkedin.com/in/asheshvashi

On Wed, Dec 2, 2015 at 6:34 PM, Dave Page <dpage@pgadmin.org> wrote:

On Wed, Dec 2, 2015 at 9:59 AM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:27 PM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,
from libssh2/agent.c:41:
../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’
../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token
In file included from libssh2/agent.c:41:
../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’
../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’
../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’
libssh2/agent.c: In function ‘agent_connect_unix’:
libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast
make[3]: *** [libssh2/agent.o] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to solve the above. You need to run the configure command again.
You also needs to rerun the bootstrap script.

OK, it works for me on Windows and OSX. Ashesh, can you give it a review/commit please?

Thanks.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: SSH tunnel key exchange methods

From

Ashesh Vashi

Date:

08 December 2015, 13:16:12

On Tue, Dec 8, 2015 at 6:36 PM, Dave Page <dpage@pgadmin.org> wrote:

Yes, I think so.

Thanks.

I have committed the code in the master branch, from which we will create a new branch 'REL-1_22_0_PATCHES' for 1.22.x releases.

--

Thanks & Regards,

Ashesh Vashi

On Tue, Dec 8, 2015 at 1:05 PM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:
Dave,

Patch looks good to me.
But - Should we consider this as a bug fix, and commit it for 1.22.0 release?

--
Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company

http://www.linkedin.com/in/asheshvashi

On Wed, Dec 2, 2015 at 6:34 PM, Dave Page <dpage@pgadmin.org> wrote:

On Wed, Dec 2, 2015 at 9:59 AM, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:27 PM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Dave

I have updated the libssh2 library with the latest available code on their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for key exchange and they also fixed some memory leak. I have verified it by putting the breakpoint in the libssh2 code, so when we called "libssh2_session_init()" it will automatically call "static int diffie_hellman_sha256(...)" function, but I don't know exactly how to identify the key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5 (64 bit) and it works fine. I have also modified the code to add human readable error message returned by the library. Attached is the patch file. Can you please review it and if it looks good can you please commit the code.

I'm seeing the following build error on OS X 10.7:

depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I.. -I../pgadmin/include/libssh2 -I../pgadmin/include -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include -DPG_SSL -DHAVE_CONNINFO_PARSE -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8 -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2 -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,
from libssh2/agent.c:41:
../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:78: error: expected declaration specifiers or ‘...’ before ‘libssh2_rsa_ctx’
../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’ token
../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’ token
In file included from libssh2/agent.c:41:
../pgadmin/include/libssh2/libssh2_priv.h:240: error: ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected specifier-qualifier-list before ‘_libssh2_bn_ctx’
../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected specifier-qualifier-list before ‘_libssh2_bn’
../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’ undeclared here (not in a function)
../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected specifier-qualifier-list before ‘_libssh2_cipher_type’
libssh2/agent.c: In function ‘agent_connect_unix’:
libssh2/agent.c:150: warning: assignment makes pointer from integer without a cast
make[3]: *** [libssh2/agent.o] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to solve the above. You need to run the configure command again.
You also needs to rerun the bootstrap script.

OK, it works for me on Windows and OSX. Ashesh, can you give it a review/commit please?

Thanks.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company