[Bug 3415] New: sftp/ssh doesn't give notice of non-matching MACs but just aborts

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Mar 29 10:40:56 AEDT 2022


            Bug ID: 3415
           Summary: sftp/ssh doesn't give notice of non-matching MACs but
                    just aborts
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.org


I was trying to connect from:
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n  15 Mar 2022

to the SFTP server from:

In my /etc/ssh/ssh_config I had (amongst others) the following
hardening set:
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com

i.e. forbidding all non-ETM MACs.

Connecting with that, just "silently" fails:
$ sftp -vvv
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /home/calestyo/.ssh/config
debug3: kex names ok: [diffie-hellman-group14-sha1]
debug3: kex names ok: [diffie-hellman-group-exchange-sha256]
debug1: /home/calestyo/.ssh/config line 220: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 6: Applying options for *
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512]
debug3: gss kex names ok:
debug2: resolve_canonicalize: hostname is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
debug1: Control socket
"/home/calestyo/.ssh/mux/heisenberg_calestyo at" does not
debug3: ssh_connect_direct: entering
debug1: Connecting to [] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address port 22: Connection refused
ssh: connect to host port 22: Connection refused
Connection closed.  
Connection closed

I.e. there is no message as e.g.:
Unable to negotiate with UNKNOWN port 65535: no matching MAC found.
Their offer: hmac-sha1,hmac-ripemd160

Any ideas why not?


You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list