[Bug 3415] sftp/ssh doesn't give notice of non-matching MACs but just aborts

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Apr 2 07:58:02 AEDT 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=3415

--- Comment #3 from Christoph Anton Mitterer <calestyo at scientia.org> ---
Hey Darren.

Uhm... I could try to build a "clean" OpenSSH with all the Debian
modifications removed - but AFAICS none of those should really touch
the warning about a failed MAC negotiation. In fact I do get that
warning when connection to another (yet very old - and thus not
supporting new MACs) OpenSSH at the university.


As for my debug output... I think I just copy&pasted the wrong one from
the terminal, sorry.
Here's the correct one:
$ sftp -vvv -P 6789 192.168.0.150
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /home/calestyo/.ssh/config
debug1: /home/calestyo/.ssh/config line 226: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 6: Applying options for *
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512]
debug3: gss kex names ok:
[gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group16-sha512-]
debug2: resolve_canonicalize: hostname 192.168.0.150 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/calestyo/.ssh/known_hosts'
debug1: Control socket
"/home/calestyo/.ssh/mux/heisenberg_calestyo at 192.168.0.150:6789" does
not exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.0.150 [192.168.0.150] port 6789.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/calestyo/.ssh/id_ed25519 type 3
debug1: identity file /home/calestyo/.ssh/id_ed25519-cert type -1
debug1: identity file /home/calestyo/.ssh/id_ecdsa type -1
debug1: identity file /home/calestyo/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/calestyo/.ssh/id_rsa type -1
debug1: identity file /home/calestyo/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Debian-3
debug1: Remote protocol version 2.0, remote software version
becke-ch--ssh--s0-0-v1-0
debug1: compat_banner: no match: becke-ch--ssh--s0-0-v1-0
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.0.150:6789 as 'calestyo'
debug3: rekey after 0 bytes, 3600 seconds
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection closed by 192.168.0.150 port 6789
Connection closed.  
Connection closed


> That example looks like it's using a proxycommand.

Yes it does... that's the very old OpenSSH mentioned above. We cannot
really upgrade that (at least not soon)... so it's not publicly in the
network and only reachable via some ProxyJump (over a recent
enough/secure node).


I tried with -F none:

$ sftp -vvv -P 6789 -F none -o GSSAPIKeyExchange=no -o
MACs=hmac-sha2-256-etm at openssh.com 192.168.0.150
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n  15 Mar 2022
debug2: resolve_canonicalize: hostname 192.168.0.150 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/calestyo/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/home/calestyo/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.0.150 [192.168.0.150] port 6789.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/calestyo/.ssh/id_rsa type -1
debug1: identity file /home/calestyo/.ssh/id_rsa-cert type -1
debug1: identity file /home/calestyo/.ssh/id_ecdsa type -1
debug1: identity file /home/calestyo/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/calestyo/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/calestyo/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/calestyo/.ssh/id_ed25519 type 3
debug1: identity file /home/calestyo/.ssh/id_ed25519-cert type -1
debug1: identity file /home/calestyo/.ssh/id_ed25519_sk type -1
debug1: identity file /home/calestyo/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/calestyo/.ssh/id_xmss type -1
debug1: identity file /home/calestyo/.ssh/id_xmss-cert type -1
debug1: identity file /home/calestyo/.ssh/id_dsa type -1
debug1: identity file /home/calestyo/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Debian-3
debug1: Remote protocol version 2.0, remote software version
becke-ch--ssh--s0-0-v1-0
debug1: compat_banner: no match: becke-ch--ssh--s0-0-v1-0
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.0.150:6789 as 'calestyo'
debug3: put_host_port: [192.168.0.150]:6789
debug3: record_hostkey: found key type ECDSA in file
/home/calestyo/.ssh/known_hosts:31
debug3: load_hostkeys_file: loaded 1 keys from [192.168.0.150]:6789
debug1: load_hostkeys: fopen /home/calestyo/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug3: order_hostkeyalgs: prefer hostkeyalgs:
ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection closed by 192.168.0.150 port 6789
Connection closed.  
Connection closed



So it doesn't seem to be my ssh config... nevertheless if you'd still
need it, tell me and I'd send it to you privately it's not really that
secret... nevertheless... shouldn't probably made too public as it
contains some network information and so on.


Thanks,
Chris.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list