Hello list, To my astonishment the openssh versions on both C6 and C7 will by default negotiate an MD5 HMAC.
C6 client, C7 server: debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none C7 client & server: debug2: mac_setup: setup hmac-md5-...@openssh.com debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com none debug2: mac_setup: setup hmac-md5-...@openssh.com debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com none I reported this issue upstream: https://bugzilla.redhat.com/show_bug.cgi?id=1417263 https://bugzilla.redhat.com/show_bug.cgi?id=1417264 You might want to add MACs hmac-sha2-512-...@openssh.com,hmac-sha2-512,hmac-sha2-256-...@openssh.com,hmac-sha2-256,hmac-sha1-...@openssh.com,hmac-sha1,hmac-ripemd160-...@openssh.com,hmac-ripemd...@openssh.com,hmac-ripemd160,umac-...@openssh.com,umac-128-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-sha1-96,umac-64-...@openssh.com,umac...@openssh.com to your C7 ssh_config and sshd_config, or MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,umac...@openssh.com,hmac-sha1-96 to your C6 ssh_config and sshd_config. You might also want to prune your cipher list to exclude RC4 = arcfour ciphers with the option "Ciphers". Compare http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/ Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
