search

ikariiin / connectbot

Automatically exported from code.google.com/p/connectbot
Apache License 2.0
0 stars 0 forks source link

support new SHA256-based HMAC transport integrity modes #571

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. configure OpenSSH <=5.9 with "MACs hmac-sha2-512" in sshd_config
2. try connecting with connectbot

What is the expected output? What do you see instead?
expected: connection
instead: hanging on "connecting"

What version of the product are you using
ConnectBot 1.7.1 (v1.7.1 2010.10.08)

What type of system are you trying to connect to?
OpenSSH_5.9p1 and OpenSSH_6.0

Please provide any additional information below.

OpenSSH 5.9 release note sais:

 * Add new SHA256-based HMAC transport integrity modes from
   http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
   These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
   and hmac-sha2-512-96, and are available by default in ssh(1) and
   sshd(8)

http://openssh.org/txt/release-5.9

See the current draft here: 
https://tools.ietf.org/html/draft-dbider-sha2-mac-for-ssh-05

Would be nice to support that.

Thanks, and keep up the good work!

Original issue reported on code.google.com by i...@zeromail.org on 28 Apr 2012 at 11:14

GoogleCodeExporter commented 9 years ago 
Not to derail this issue, but: can we extend this report to "please support the 
new Ciphers and KexAlgorithms"? I.e. Debian/stable (7.7 at this moment) ships 
with OpenSSH_6.6.1p1, which supports the following:

Ciphers
3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, 
aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, arcfour128, 
arcfour256, arcfour, blowfish-cbc, cast128-cbc, and 
chacha20-poly1305@openssh.com

MAC
hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
hmac-md5-96-etm@openssh.com,
hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-sha1-96,hmac-md5-96

KexAlgorithms
curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1

Thanks!

Original comment by ckujau on 10 Jan 2015 at 10:29

GoogleCodeExporter commented 9 years ago 
I fully agree. OpenSSH 6.5 introduced a bunch of new ciphers and algorithms: 
http://www.openssh.com/txt/release-6.5

See the current list here: 
https://github.com/openssh/openssh-portable/blob/master/sshd_config.5#L734

Since the latest Snowden releases included OpenSSH 
(http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-se
curity-a-1010361.html), there have been HOWTOs on hardening OpenSSH 
configuration: https://stribika.github.io/2015/01/04/secure-secure-shell.html

Unfortunately, it seems ConnectBot development is rather stalled: 
https://github.com/connectbot/connectbot/commits/master

Original comment by i...@zeromail.org on 11 Jan 2015 at 11:59

GoogleCodeExporter commented 9 years ago 
I would like to have support for (mobile) access to my servers again, now that 
I've configured them like this:

Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs 
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@o
penssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,u
mac-128@openssh.com

Curently, I get a hang upon trying to connect :-(

Original comment by gordon.p...@gmail.com on 27 Feb 2015 at 10:48