Re: [cdt-dev] SSH2 security configuration for terminal and remote system

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cdt-dev] SSH2 security configuration for terminal and remote system

From: Alessandro Fardin <alef75@xxxxxxxxx>
Date: Wed, 4 May 2022 01:48:19 +0200
Delivered-to: cdt-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cdt-dev/>
List-help: <mailto:cdt-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cdt-dev>, <mailto:cdt-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cdt-dev>, <mailto:cdt-dev-request@eclipse.org?subject=unsubscribe>

Hi Jonah, thank you for your prompt reply

I've just make the test with egit :

My test case is running through 2 server

1. my embedded linux device: we use CDT to develop and terminal and RSE to download and uplod file and give shell commands via ssh.
so  no git server could run in it

2. My security test setup: a bash script:
download https://github.com/jtesta/ssh-audit on my linux workingstation and run

ssh-audit.py --client-audit
it behave as a ssh server that will listen for client capabilities

as you suggested I've configured eclipse to import new project from git, pointing to the fake get server :

this is the result:
with egit all desired security cryptography for ssh2 is in place , but there are lots of obsolete (not secure) entries. I guess for interoperability reasons.
so I can say that with the egit settings all will work great

please refer to the  bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=560571

for the complete logs of ssh-audit

I hope this could help

Il giorno mer 4 mag 2022 alle ore 01:08 Jonah Graham <jonah@xxxxxxxxxxxxxxxx> ha scritto:

Hi Alessandro,

I added a comment on the bug, but I include it hear for the wider audience:
Do you happen to have git running on that hardened machine and does egit connect fine to it? If so, the fact jgit/egit updated the SSH stack a while back (Bug 520927 Comment 60) would indicate that a solution is possible. I suspect terminal component (now part of CDT) needs to do the same if we want to support SSH natively.

Is there anyone interested on taking on that work (including the investigation to confirm if what I said above is true)?
~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com
On Tue, 3 May 2022 at 18:07, Alessandro Fardin <alef75@xxxxxxxxx> wrote:
I don't know if I'm missing some settings in the terminal or in eclipse, but I can't connect via terminal or remote system via ssh to a modern ssh server.

The problem is the eclipse ssh2 client that supports:
1. only one secure key exchange algorithms:
(kex) diffie-hellman-group-exchange-sha256

2. Zero secure host-key algorithms
3.Zero secure encryption algorithms (ciphers)
4.Zero secure message authentication code algorithms

and eclipse does not support modern and faster ed25519 host keys
for detail see
https://bugs.eclipse.org/bugs/show_bug.cgi?id=560571

Thank you in advance
Alessandro

_______________________________________________
cdt-dev mailing list
cdt-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cdt-dev

_______________________________________________
cdt-dev mailing list
cdt-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cdt-dev

References:
- [cdt-dev] problem with externl makefile project
  - From: Alessandro Fardin
- [cdt-dev] SSH2 security configuration for terminal and remote system
  - From: Alessandro Fardin
- Re: [cdt-dev] SSH2 security configuration for terminal and remote system
  - From: Jonah Graham

Prev by Date: Re: [cdt-dev] SSH2 security configuration for terminal and remote system
Next by Date: [cdt-dev] Weird exception in Spawner
Previous by thread: Re: [cdt-dev] SSH2 security configuration for terminal and remote system
Next by thread: [cdt-dev] Bug 579756: Tool prefixes and "CDT GCC Build Output Parser"
Index(es):
- Date
- Thread

Breadcrumbs