SSH MACs Issue

Issues related to applications and software problems and general support
Post Reply
m.degras
Posts: 2
Joined: 2021/03/30 08:55:48

SSH MACs Issue

Post by m.degras » 2021/03/30 13:06:10

Hi,

I have a strange problem when i using an old ssh MACs under CentOS8 and CentOS Stream.

By default, i used DEFAULT policy on my serverb, but i override CRYPTO_POLICY in /etc/sysconfig/sshd.

cat /etc/sysconfig/sshd

CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'

systemctl restart sshd.service

Normally, I shouldn't login to my server:
ssh -m umac-64@openssh.com test@serverb

OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/test/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to serverb [192.168.1.2] port 22.
debug1: Connection established.
debug1: identity file /home/test/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/test/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/test/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/test/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/test/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/test/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/test/.ssh/id_ed25519 type 3
debug1: key_load_public: No such file or directory
debug1: identity file /home/test/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to serverb:22 as 'test'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:ioyuCB+gwKQIdxXbxju76kOxtZd9hjOnGcpcqKdeUPA
debug1: Host 'serverb' is known and matches the RSA host key.
debug1: Found key in /home/test/.ssh/known_hosts:354
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:2P18lA/xUoyGXxaLFV36skrVQyS1fI8dMO4a8+Ok9kg /home/test/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/test/.ssh/id_dsa
debug1: Trying private key: /home/test/.ssh/id_ecdsa
debug1: Offering public key: ED25519 SHA256:Gq3PPZZ7ICG5GyqVlGQ1CCOzsFiRh+cTVDvlMsHFkGM /home/test/.ssh/id_ed25519
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:

But, I can login and I think is not normal because I'm not reproducing it in CentOS 6 and 7.

Any ideas?

Thanks in advance,

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSH MACs Issue

Post by TrevorH » 2021/03/30 14:02:08

Amending sshd has no effect on what the ssh client locally will do.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

m.degras
Posts: 2
Joined: 2021/03/30 08:55:48

Re: SSH MACs Issue

Post by m.degras » 2021/04/15 09:54:50

Hello,

Yeah, true... I removed my custom settings and used the Default parameters and that changed nothing.

But, in my ssh connection test with macs algo i've got the same issue.

Opensshserver continue to let me passed, whereas i deleted old macs algo.

For example in CentOS 6 & 7, it was forbidden. Below the result:
Unable to negotiate with x.x.x.x port 22: no matching MAC found. Their offer: ...

Post Reply