On automatic MAC selection in OpenSSH_6.7p1 + OpenSSL 1.0.1k

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jun 1 02:20:43 AEST 2016


On Tue 2016-05-31 10:59:51 -0400, Dimitris Diochnos wrote:
> On another note, lowering the MTU size (which was another workaround for
> [1]) also allows me to pass successfully the key exchange phase in the
> direction where I normally have an issue (that is, country B --> country
> A). The maximum MTU size that would allow me to pass the key exchange
> negotiation was 1458 (that is, with a size of 1459 the key exchange got
> stuck).

This is the relevant hint for your connection.  It sounds like some
element along the network path from B to A is silently dropping packets
that are larger than 1458, and your network stack has not detected this
situation.

When you force the MAC algorithm to be the specific one, you are
probably making the ssh handshake negotiation packets each be small
enough to fit into the smaller MTU.

As such, i think this is a networking configuration issue, and not
something for ssh to try to fix.  Maybe the fix belongs in your TCP
stack, or in your network configuration?

Sounds frustrating!

          --dkg


More information about the openssh-unix-dev mailing list