playing around with removing algos
Jakub Jelen
jjelen at redhat.com
Wed May 3 16:14:20 AEST 2017
On 05/02/2017 07:21 PM, Cristian Ionescu-Idbohrn wrote:
> On Tue, 2 May 2017, Colin Watson wrote:
>> On Tue, May 02, 2017 at 06:17:47PM +0200, Cristian Ionescu-Idbohrn wrote:
>>> $ ssh -vvv -oMacs=umac-64 at openssh.com localhost : 2>&1 | egrep -i 'macs|umac'
>>> debug2: MACs ctos: umac-64 at openssh.com
>>> debug2: MACs stoc: umac-64 at openssh.com
>>> debug2: MACs ctos: umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>> debug2: MACs stoc: umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>>>
>>> No error/warning/anything.
>>>
>>> I should also mention that this is the Debian packaged openssh 7.5p1.
>>> It applies some 31 patches to the source. I can't tell if they
>>> interfere with the proper behaviour, it doesn't seem so, but I can't
>>> exclude the risc. Colin might.
>>
>> A clean build from upstream git master produces identical output from
>> the above test command.
>
> Thanks. This points then to an upstream bug.
My guess is that you are using chacha20-poly1305 at openssh.com cipher (not
visible from this output), which does not need MAC (the message
authentication is already part of the cipher definition -- poly1305).
Therefore it does not need to agree on common MAC and it just works
without that.
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
More information about the openssh-unix-dev
mailing list