[Bug 3415] New: sftp/ssh doesn't give notice of non-matching MACs but just aborts

Mon, 28 Mar 2022 16:41:29 -0700 

https://bugzilla.mindrot.org/show_bug.cgi?id=3415

            Bug ID: 3415
           Summary: sftp/ssh doesn't give notice of non-matching MACs but
                    just aborts
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: [email protected]
          Reporter: [email protected]

Hey.

I was trying to connect from:
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n  15 Mar 2022

to the SFTP server from:
  https://www--s0-v1.becke.ch/app/becke-ch--sftp-server--s0-v1/
respectively:
 
https://play.google.com/store/apps/details?id=ch.becke.sftp_server__s0_v1


In my /etc/ssh/ssh_config I had (amongst others) the following
hardening set:
  MACs
[email protected],[email protected],[email protected]

i.e. forbidding all non-ETM MACs.


Connecting with that, just "silently" fails:
$ sftp -vvv 192.168.0.150
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /home/calestyo/.ssh/config
debug3: kex names ok: [diffie-hellman-group14-sha1]
debug3: kex names ok: [diffie-hellman-group-exchange-sha256]
debug1: /home/calestyo/.ssh/config line 220: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 6: Applying options for *
debug3: kex names ok:
[curve25519-sha256,[email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512]
debug3: gss kex names ok:
[gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group16-sha512-]
debug2: resolve_canonicalize: hostname 192.168.0.150 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/calestyo/.ssh/known_hosts'
debug1: Control socket
"/home/calestyo/.ssh/mux/[email protected]:22" does not
exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.0.150 [192.168.0.150] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address 192.168.0.150 port 22: Connection refused
ssh: connect to host 192.168.0.150 port 22: Connection refused
Connection closed.  
Connection closed


I.e. there is no message as e.g.:
Unable to negotiate with UNKNOWN port 65535: no matching MAC found.
Their offer: hmac-sha1,hmac-ripemd160

Any ideas why not?

Thanks,
Chris.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Reply via email to