[Bug 3415] New: sftp/ssh doesn't give notice of non-matching MACs but just aborts

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Mar 29 10:40:56 AEDT 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=3415

            Bug ID: 3415
           Summary: sftp/ssh doesn't give notice of non-matching MACs but
                    just aborts
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.org

Hey.

I was trying to connect from:
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n  15 Mar 2022

to the SFTP server from:
  https://www--s0-v1.becke.ch/app/becke-ch--sftp-server--s0-v1/
respectively:
 
https://play.google.com/store/apps/details?id=ch.becke.sftp_server__s0_v1


In my /etc/ssh/ssh_config I had (amongst others) the following
hardening set:
  MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com

i.e. forbidding all non-ETM MACs.


Connecting with that, just "silently" fails:
$ sftp -vvv 192.168.0.150
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /home/calestyo/.ssh/config
debug3: kex names ok: [diffie-hellman-group14-sha1]
debug3: kex names ok: [diffie-hellman-group-exchange-sha256]
debug1: /home/calestyo/.ssh/config line 220: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 6: Applying options for *
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512]
debug3: gss kex names ok:
[gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group16-sha512-]
debug2: resolve_canonicalize: hostname 192.168.0.150 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/calestyo/.ssh/known_hosts'
debug1: Control socket
"/home/calestyo/.ssh/mux/heisenberg_calestyo at 192.168.0.150:22" does not
exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.0.150 [192.168.0.150] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address 192.168.0.150 port 22: Connection refused
ssh: connect to host 192.168.0.150 port 22: Connection refused
Connection closed.  
Connection closed


I.e. there is no message as e.g.:
Unable to negotiate with UNKNOWN port 65535: no matching MAC found.
Their offer: hmac-sha1,hmac-ripemd160

Any ideas why not?

Thanks,
Chris.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list