[Bug 2991] Not supports hmac-md5 ciphering technique

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Apr 10 21:20:59 AEST 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2991

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Karthik Adiga from comment #4)
> Thanks Jakub & Darren for your timely reply.
> 
> We follow RSA technique.

Not sure what you mean by this.

> I have upgraded openssh in arm/linux machine from 5.3p1 to 7.9p1.

>From the working connection:

> debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss

client supports all of these host key algorithms

> debug2: kex_parse_kexinit: ssh-dss

Sever only supports ssh-dss.

I think the client only has a ssh-dss (ie DSA) host key, but 7.9p1
doesn't support that by default any more.  To re-enable it you would
need to add ssh-dss to HostKeyAlgorithms *and* tell it to load the DSA
host key (which is no longer in the default list) in addition to all
the other key types by adding this to sshd_config:

HostKeyAlgorithms +ssh-dss
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_ecdsa_key
HostKey /usr/local/etc/ssh_host_ed25519_key
HostKey /usr/local/etc/ssh_host_dsa_key

> Earlier from a linux client(5.3p1) to
> arm/linux server(5.3p1) was working fine. Now after upgrade it is
> giving the no hostkey algorithm error.
> 
> With both machines on the same version 5.3p1 cipher technique used
> was hmac-md5, but with server in 7.9p1 it is choosing hmac-sha1.

That's fine.

> On what basis server chooses the cipher technique i.e hmac-md5 or
> hmac-sha1?

The server sends a list of algorithms that it supports and the client
picks one.  If the client doesn't have a supported (and enabled)
algorithm matching one that the server offers for a particular purpose
then the key exchange fails.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list