[
https://issues.apache.org/jira/browse/GUACAMOLE-1461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17445692#comment-17445692
]
Mike Jumper commented on GUACAMOLE-1461:
----------------------------------------
[~kmahyyg], support for elliptic curves KEX algorithms has actually been in
libssh2 since their 1.9.0 release, apparently added via
https://github.com/libssh2/libssh2/commit/aba34f5f56890563e6f0147ad8bc0e36aa966f49.
As you note, Guacamole inherits its KEX support from libssh2, so there isn't
anything to be done here to gain that support except to use a newer libssh2 if
you need the newer support.
As far as the guacd Docker image is concerned, similar to GUACAMOLE-407, this
would mean using a different base image. I'll update this issue to note that,
as updating the base image is a reasonable and valid request.
Outside of the Docker image, there is nothing to be done for this - the support
is already available and will already work. If you don't want to build from
source, you can rebuild the image against a newer base. For example (from
within the top directory of the guacamole-server source):
{code:none}
sudo docker build --build-arg DEBIAN_BASE_IMAGE=bullseye --build-arg
DEBIAN_RELEASE=bullseye-backports .
{code}
> KEX failed when using SSH with relatively new SSH Server
> --------------------------------------------------------
>
> Key: GUACAMOLE-1461
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1461
> Project: Guacamole
> Issue Type: Bug
> Components: guacd, guacd-docker, SSH
> Affects Versions: 1.3.0
> Reporter: Patrick Young
> Priority: Major
> Attachments: image-2021-11-18-14-26-03-940.png,
> image-2021-11-18-14-27-02-502.png, ssh-debug.pcap
>
>
> All previous versions are affected. I use the latest docker official image on
> both guacamole and guacd.
> Before I create this issue, I just searched the whole Jira here. Just found
> some related issues like GUACAMOLE-703, GUACAMOLE-435, GUACAMOLE-1315,
> GUACAMOLE-1052.
> Security should be considered as a lifeline of such a widely-used remote
> connection software. Every user will finally follow the libssh upgrade since
> the distributions on their Linux machine did so.
> The problem is that the `libssh2` library you've previously used only have 2
> legacy and deprecated SSH host key algorithm support. However, since it's
> 2021 now, OpenSSH 8.8 on my Arch Linux, just dropped support of those
> algorithms which already should be considered as unsafe.
> It's so obvious that:
> guacd supports:
> !image-2021-11-18-14-26-03-940.png|width=100%!
> What OpenSSH server offers:
> !image-2021-11-18-14-27-02-502.png|width=100%!
> The captured packaet is attached, check it please. (In this capture, SSH
> server port is 22201)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
