[
https://issues.apache.org/jira/browse/GUACAMOLE-1461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Jumper updated GUACAMOLE-1461:
-----------------------------------
Description:
libssh2 has recently grown support for elliptic curve cryptography, including
support for elliptic curve KEX algorithms. The current guacd Docker image
doesn't inherit this support, however, because it uses Debian Buster as its
base image. To have access to a newer libssh2, the guacd image will need to use
at least Debian Bullseye.
It may be worth updating the image to simply point at Debian stable, assuming
there is no longer any issue with the FreeRDP version included by that version
of Debian. Meanwhile, the Jenkins build that performs nightly rebuilds of the
established Docker images for the previous release can simply be updated to
point to Debian Bullseye with its build args and thus magically become
up-to-date.
was:
All previous versions are affected. I use the latest docker official image on
both guacamole and guacd.
Before I create this issue, I just searched the whole Jira here. Just found
some related issues like GUACAMOLE-703, GUACAMOLE-435, GUACAMOLE-1315,
GUACAMOLE-1052.
Security should be considered as a lifeline of such a widely-used remote
connection software. Every user will finally follow the libssh upgrade since
the distributions on their Linux machine did so.
The problem is that the `libssh2` library you've previously used only have 2
legacy and deprecated SSH host key algorithm support. However, since it's 2021
now, OpenSSH 8.8 on my Arch Linux, just dropped support of those algorithms
which already should be considered as unsafe.
It's so obvious that:
guacd supports:
!image-2021-11-18-14-26-03-940.png|width=100%!
What OpenSSH server offers:
!image-2021-11-18-14-27-02-502.png|width=100%!
The captured packaet is attached, check it please. (In this capture, SSH server
port is 22201)
> Include libssh2 1.9.0 or later in guacd Docker image
> ----------------------------------------------------
>
> Key: GUACAMOLE-1461
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1461
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd-docker
> Reporter: Patrick Young
> Priority: Major
> Attachments: image-2021-11-18-14-26-03-940.png,
> image-2021-11-18-14-27-02-502.png, ssh-debug.pcap
>
>
> libssh2 has recently grown support for elliptic curve cryptography, including
> support for elliptic curve KEX algorithms. The current guacd Docker image
> doesn't inherit this support, however, because it uses Debian Buster as its
> base image. To have access to a newer libssh2, the guacd image will need to
> use at least Debian Bullseye.
> It may be worth updating the image to simply point at Debian stable, assuming
> there is no longer any issue with the FreeRDP version included by that
> version of Debian. Meanwhile, the Jenkins build that performs nightly
> rebuilds of the established Docker images for the previous release can simply
> be updated to point to Debian Bullseye with its build args and thus magically
> become up-to-date.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
