On automatic MAC selection in OpenSSH_6.7p1 + OpenSSL 1.0.1k

Darren Tucker dtucker at zip.com.au
Wed Jun 1 09:44:00 AEST 2016


On Wed, Jun 1, 2016 at 3:22 AM, Dimitris Diochnos <diochnos at gmail.com>
wrote:

> [...]
> In this sense, both commands are executed with MTU=1500 but ssh does
> behave differently in these two situations without me having to change
> anything in my network configuration.


The thing ssh does differently in these two instances is that when you
don't specify -m, it uses the default MACs list which can be reasonably
long.  If you look at the output of ssh -vv you'll see something like this:

debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1

which in my case is 214 bytes, compared to 24 bytes when you specify
umac64.  You'll likely see similar behaviour if you specify the Ciphers
or KexAlgorithms.


> Thus a reasonable (?) guess is
> that perhaps ssh does not set all the necessary flags and options
> correctly when umac-64-etm at openssh.com is set automatically during the
> negotiation


Nope, it doesn't do anything different with regard to network options and
such.  You did an good job figuring out that your network is broken, but
that's what you need to fix to resolve your problem.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list