[Bug 2991] Not supports hmac-md5 ciphering technique
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Apr 10 21:20:59 AEST 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=2991
--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Karthik Adiga from comment #4)
> Thanks Jakub & Darren for your timely reply.
>
> We follow RSA technique.
Not sure what you mean by this.
> I have upgraded openssh in arm/linux machine from 5.3p1 to 7.9p1.
>From the working connection:
> debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss
client supports all of these host key algorithms
> debug2: kex_parse_kexinit: ssh-dss
Sever only supports ssh-dss.
I think the client only has a ssh-dss (ie DSA) host key, but 7.9p1
doesn't support that by default any more. To re-enable it you would
need to add ssh-dss to HostKeyAlgorithms *and* tell it to load the DSA
host key (which is no longer in the default list) in addition to all
the other key types by adding this to sshd_config:
HostKeyAlgorithms +ssh-dss
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_ecdsa_key
HostKey /usr/local/etc/ssh_host_ed25519_key
HostKey /usr/local/etc/ssh_host_dsa_key
> Earlier from a linux client(5.3p1) to
> arm/linux server(5.3p1) was working fine. Now after upgrade it is
> giving the no hostkey algorithm error.
>
> With both machines on the same version 5.3p1 cipher technique used
> was hmac-md5, but with server in 7.9p1 it is choosing hmac-sha1.
That's fine.
> On what basis server chooses the cipher technique i.e hmac-md5 or
> hmac-sha1?
The server sends a list of algorithms that it supports and the client
picks one. If the client doesn't have a supported (and enabled)
algorithm matching one that the server offers for a particular purpose
then the key exchange fails.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list