[Bug 3696] ssh client does not respect the "-oMACs" flag
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Jun 2 22:39:11 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3696
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Nikola from comment #0)
[...]
> Instead it looks like it falls back to some other MACs to make a
> connection.
Probably not, or at least not in the way you expect. These days the
default cipher chacha20-poly1305 and a few other high priority ciphers
(such as AES GCM which is probably relavnt for your case) are
authenticated ciphers and have their own implicit MAC). If such cipher
are selected there is no separate MAC to be selected.
$ ssh -v -o MACs=hmac-md5 localhost true 2>&1 | grep MAC
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
$ ssh -v -o MACs=hmac-md5 -oCiphers=aes256-gcm at openssh.com localhost
true 2>&1 | grep MAC
debug1: kex: server->client cipher: aes256-gcm at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm at openssh.com MAC:
<implicit> compression: none
Try: ssh -oCiphers=aes256-ctr -oMACs=hmac-sha1
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list