https://bugzilla.mindrot.org/show_bug.cgi?id=3415
Bug ID: 3415
Summary: sftp/ssh doesn't give notice of non-matching MACs but
just aborts
Product: Portable OpenSSH
Version: 8.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: calestyo@scientia.org
Hey.
I was trying to connect from:
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n 15 Mar 2022
to the SFTP server from:
https://www--s0-v1.becke.ch/app/becke-ch--sftp-server--s0-v1/
respectively:
https://play.google.com/store/apps/details?id=ch.becke.sftp_server__s0_v1
In my /etc/ssh/ssh_config I had (amongst others) the following
hardening set:
MACs
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
i.e. forbidding all non-ETM MACs.
Connecting with that, just "silently" fails:
$ sftp -vvv 192.168.0.150
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n 15 Mar 2022
debug1: Reading configuration data /home/calestyo/.ssh/config
debug3: kex names ok: [diffie-hellman-group14-sha1]
debug3: kex names ok: [diffie-hellman-group-exchange-sha256]
debug1: /home/calestyo/.ssh/config line 220: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 6: Applying options for *
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512]
debug3: gss kex names ok:
[gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group16-sha512-]
debug2: resolve_canonicalize: hostname 192.168.0.150 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/calestyo/.ssh/known_hosts'
debug1: Control socket
"/home/calestyo/.ssh/mux/heisenberg_calestyo@192.168.0.150:22" does not
exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.0.150 [192.168.0.150] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address 192.168.0.150 port 22: Connection refused
ssh: connect to host 192.168.0.150 port 22: Connection refused
Connection closed.
Connection closed
I.e. there is no message as e.g.:
Unable to negotiate with UNKNOWN port 65535: no matching MAC found.
Their offer: hmac-sha1,hmac-ripemd160
Any ideas why not?
Thanks,
Chris.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3415
Summary: sftp/ssh doesn't give notice of non-matching MACs but
just aborts
Product: Portable OpenSSH
Version: 8.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: calestyo@scientia.org
Hey.
I was trying to connect from:
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n 15 Mar 2022
to the SFTP server from:
https://www--s0-v1.becke.ch/app/becke-ch--sftp-server--s0-v1/
respectively:
https://play.google.com/store/apps/details?id=ch.becke.sftp_server__s0_v1
In my /etc/ssh/ssh_config I had (amongst others) the following
hardening set:
MACs
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
i.e. forbidding all non-ETM MACs.
Connecting with that, just "silently" fails:
$ sftp -vvv 192.168.0.150
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n 15 Mar 2022
debug1: Reading configuration data /home/calestyo/.ssh/config
debug3: kex names ok: [diffie-hellman-group14-sha1]
debug3: kex names ok: [diffie-hellman-group-exchange-sha256]
debug1: /home/calestyo/.ssh/config line 220: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 6: Applying options for *
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512]
debug3: gss kex names ok:
[gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group16-sha512-]
debug2: resolve_canonicalize: hostname 192.168.0.150 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/calestyo/.ssh/known_hosts'
debug1: Control socket
"/home/calestyo/.ssh/mux/heisenberg_calestyo@192.168.0.150:22" does not
exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.0.150 [192.168.0.150] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address 192.168.0.150 port 22: Connection refused
ssh: connect to host 192.168.0.150 port 22: Connection refused
Connection closed.
Connection closed
I.e. there is no message as e.g.:
Unable to negotiate with UNKNOWN port 65535: no matching MAC found.
Their offer: hmac-sha1,hmac-ripemd160
Any ideas why not?
Thanks,
Chris.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs