https://bugzilla.mindrot.org/show_bug.cgi?id=3696
Bug ID: 3696
Summary: ssh client does not respect the "-oMACs" flag
Product: Portable OpenSSH
Version: 9.7p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: ssh
Assignee: [email protected]
Reporter: [email protected]
According to both sshd config and nmap scan my ssh server accepts the
below cipher suite:
$ nmap -sV --script ssh2-enum-algos 192.168.1.233 -p 22
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-02 14:57 EEST
Nmap scan report for marciano (192.168.1.233)
Host is up (0.00099s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (9)
| curve25519-sha256
| [email protected]
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (7)
| [email protected]
| [email protected]
| aes256-ctr
| aes256-cbc
| [email protected]
| aes128-ctr
| aes128-cbc
| mac_algorithms: (6)
| [email protected]
| [email protected]
| [email protected]
| hmac-sha2-256
| [email protected]
| hmac-sha2-512
| compression_algorithms: (2)
| none
|_ [email protected]
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
$
The crypto policy enforces the server to start with the proper options
after the "-D" flag
However when I try to test the MACs using the client "-oMACs" flag, it
looks like it accepts MACs it shouldn't:
$ ./ssh -V
OpenSSH_9.7p1, OpenSSL 3.0.9 30 May 2023
$ ./ssh [email protected] -oMACs=hmac-sha1
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Jun 2 15:02:33 2024 from 192.168.1.2
rocky@marciano:~ $ logout
Connection to 192.168.1.233 closed.
$ ./ssh [email protected] -oMACs=hmac-md5
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Jun 2 15:06:55 2024 from 192.168.1.2
rocky@marciano:~ $ logout
Connection to 192.168.1.233 closed.
What I expect to happen here is a message stating that negotiation
failed, like for example when providing an invalid cipher:
$ ./ssh [email protected] -oCiphers=3des-cbc
Unable to negotiate with 192.168.1.233 port 22: no matching cipher
found. Their offer:
[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc
Instead it looks like it falls back to some other MACs to make a
connection.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
