search

isontheline / pro.webssh.net

iOS / iPadOS / macOS SSH Client
https://apps.apple.com/us/app/id497714887
MIT License
315 stars 46 forks source link

kex-strict-s-v00@openssh.com #1032

Open unbeatable-101 opened 10 months ago

unbeatable-101 commented 10 months ago

Bug description

Every version since the 24.7 beta leaves me unable to connect to my sever due to no matching MAC algorithms. I suspect this is due to the Terrapin attack fix in WebSSH, but none of these MAC algorithms were vulnerable (or at least ssh-audit says they’re all fine).

Log


2024/01/14 02:26:31:972 [VERBOSE] <EngineLog>
  <Connect_Ssh>
    <EngineVersion>9.5.0.97</EngineVersion>
    <EngineStatus>2</EngineStatus>
    <connectInner>
      <hostname>192.168.0.2</hostname>
      <port>110</port>
      <sshConnect>
      </sshConnect>
      <sshSetupConnection>
        <clientIdentifier>SSH-2.0-WebSSH_24.8</clientIdentifier>
        <initialDataFromSshServer><![CDATA[SSH-2.0-OpenSSH_9.6
]]></initialDataFromSshServer>
        <serverVersion>SSH-2.0-OpenSSH_9.6</serverVersion>
        <serverKex>
          <KeyExchangeAlgs>
            <algorithm>sntrup761x25519-sha512@openssh.com</algorithm>
            <algorithm>curve25519-sha256</algorithm>
            <algorithm>curve25519-sha256@libssh.org</algorithm>
            <algorithm>diffie-hellman-group16-sha512</algorithm>
            <algorithm>diffie-hellman-group18-sha512</algorithm>
            <algorithm>diffie-hellman-group-exchange-sha256</algorithm>
            <algorithm>ext-info-s</algorithm>
            <algorithm>kex-strict-s-v00@openssh.com</algorithm>
          </KeyExchangeAlgs>
          <HostKeyAlgs>
            <algorithm>rsa-sha2-512</algorithm>
            <algorithm>rsa-sha2-256</algorithm>
            <algorithm>ssh-ed25519</algorithm>
          </HostKeyAlgs>
          <EncCS>
            <algorithm>aes256-gcm@openssh.com</algorithm>
            <algorithm>aes256-ctr</algorithm>
            <algorithm>aes192-ctr</algorithm>
          </EncCS>
          <EncSC>
            <algorithm>aes256-gcm@openssh.com</algorithm>
            <algorithm>aes256-ctr</algorithm>
            <algorithm>aes192-ctr</algorithm>
          </EncSC>
          <MacCS>
            <algorithm>hmac-sha2-256-etm@openssh.com</algorithm>
            <algorithm>hmac-sha2-512-etm@openssh.com</algorithm>
            <algorithm>umac-128-etm@openssh.com</algorithm>
          </MacCS>
          <MacSC>
            <algorithm>hmac-sha2-256-etm@openssh.com</algorithm>
            <algorithm>hmac-sha2-512-etm@openssh.com</algorithm>
            <algorithm>umac-128-etm@openssh.com</algorithm>
          </MacSC>
          <CompCS>
            <algorithm>none</algorithm>
            <algorithm>zlib@openssh.com</algorithm>
          </CompCS>
          <CompSC>
            <algorithm>none</algorithm>
            <algorithm>zlib@openssh.com</algorithm>
          </CompSC>
          <ChosenIncomingEncryption>aes256-ctr</ChosenIncomingEncryption>
          <ChosenOutgoingEncryptoin>aes256-ctr</ChosenOutgoingEncryptoin>
          <error>No matching mac algorithms supported.</error>
          <error>Unable to agree upon server-to-client MAC algorithm.</error>
          <error>No matching mac algorithms supported.</error>
          <error>Unable to agree upon client-to-server MAC algorithm.</error>
          <ChosenIncomingCompression>none</ChosenIncomingCompression>
          <ChosenOutgoingCompression>none</ChosenOutgoingCompression>
          <ChosenKexAlgorithm>curve25519-sha256</ChosenKexAlgorithm>
          <ChosenHostKeyAlgorithm>ssh-ed25519</ChosenHostKeyAlgorithm>
        </serverKex>
        <sshRawPacket>Socket connection closed.</sshRawPacket>
        <sshKexInitResponse>Socket connection closed.</sshKexInitResponse>
        <error>Failed to read KEX init response</error>
      </sshSetupConnection>
      <sshConnect>
      </sshConnect>
      <sshSetupConnection>
        <clientIdentifier>SSH-2.0-WebSSH_24.8</clientIdentifier>
        <initialDataFromSshServer><![CDATA[SSH-2.0-OpenSSH_9.6
]]></initialDataFromSshServer>
        <serverVersion>SSH-2.0-OpenSSH_9.6</serverVersion>
        <serverKex>
          <KeyExchangeAlgs>
            <algorithm>sntrup761x25519-sha512@openssh.com</algorithm>
            <algorithm>curve25519-sha256</algorithm>
            <algorithm>curve25519-sha256@libssh.org</algorithm>
            <algorithm>diffie-hellman-group16-sha512</algorithm>
            <algorithm>diffie-hellman-group18-sha512</algorithm>
            <algorithm>diffie-hellman-group-exchange-sha256</algorithm>
            <algorithm>ext-info-s</algorithm>
            <algorithm>kex-strict-s-v00@openssh.com</algorithm>
          </KeyExchangeAlgs>
          <HostKeyAlgs>
            <algorithm>rsa-sha2-512</algorithm>
            <algorithm>rsa-sha2-256</algorithm>
            <algorithm>ssh-ed25519</algorithm>
          </HostKeyAlgs>
          <EncCS>
            <algorithm>aes256-gcm@openssh.com</algorithm>
            <algorithm>aes256-ctr</algorithm>
            <algorithm>aes192-ctr</algorithm>
          </EncCS>
          <EncSC>
            <algorithm>aes256-gcm@openssh.com</algorithm>
            <algorithm>aes256-ctr</algorithm>
            <algorithm>aes192-ctr</algorithm>
          </EncSC>
          <MacCS>
            <algorithm>hmac-sha2-256-etm@openssh.com</algorithm>
            <algorithm>hmac-sha2-512-etm@openssh.com</algorithm>
            <algorithm>umac-128-etm@openssh.com</algorithm>
          </MacCS>
          <MacSC>
            <algorithm>hmac-sha2-256-etm@openssh.com</algorithm>
            <algorithm>hmac-sha2-512-etm@openssh.com</algorithm>
            <algorithm>umac-128-etm@openssh.com</algorithm>
          </MacSC>
          <CompCS>
            <algorithm>none</algorithm>
            <algorithm>zlib@openssh.com</algorithm>
          </CompCS>
          <CompSC>
            <algorithm>none</algorithm>
            <algorithm>zlib@openssh.com</algorithm>
          </CompSC>
          <ChosenIncomingEncryption>aes256-ctr</ChosenIncomingEncryption>
          <ChosenOutgoingEncryptoin>aes256-ctr</ChosenOutgoingEncryptoin>
          <error>No matching mac algorithms supported.</error>
          <error>Unable to agree upon server-to-client MAC algorithm.</error>
          <error>No matching mac algorithms supported.</error>
          <error>Unable to agree upon client-to-server MAC algorithm.</error>
          <ChosenIncomingCompression>none</ChosenIncomingCompression>
          <ChosenOutgoingCompression>none</ChosenOutgoingCompression>
          <ChosenKexAlgorithm>curve25519-sha256</ChosenKexAlgorithm>
          <ChosenHostKeyAlgorithm>ssh-ed25519</ChosenHostKeyAlgorithm>
        </serverKex>
        <sshRawPacket>Socket connection closed.</sshRawPacket>
        <sshKexInitResponse>Socket connection closed.</sshKexInitResponse>
        <error>Failed to read KEX init response</error>
      </sshSetupConnection>
    </connectInner>
    <error>Failed.</error>
  </Connect_Ssh>
</EngineLog>
isontheline commented 10 months ago

Hello @unbeatable-101 👋

Thank you so much for reaching me out 🙏

All "-etm@" MACs are vulnerable to Terrapin-attack :

Supports chacha20-poly1305@openssh.com or any -etm@openssh.com algorithm.

Have you a custom configuration server to share with me?

I can provide a way to enable -etm@ again with a configuration on WebSSH side. Would you like?

unbeatable-101 commented 10 months ago

From https://terrapin-attack.com I see

the connection must be secured by either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC

so it’s not the MACs themselves that are vulnerable (and as far as I know, etm MACs are considered more secure than non-etm MACs), but using them in combination with ChaCha20-Poly1305 or a CBC cipher, neither of which my server support. Here is the output of ssh-audit on my server:

# general
(gen) banner: SSH-2.0-OpenSSH_9.6
(gen) software: OpenSSH 9.6
(gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@openssh.com)

# key exchange algorithms
(kex) sntrup761x25519-sha512@openssh.com    -- [info] available since OpenSSH 8.5
(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
                                            `- [info] default key exchange since OpenSSH 6.4
(kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
                                            `- [info] default key exchange since OpenSSH 6.4
(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) ext-info-s                            -- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
(kex) kex-strict-s-v00@openssh.com          -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)

# host-key algorithms
(key) rsa-sha2-512 (4096-bit)               -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit)               -- [info] available since OpenSSH 7.2
(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) aes256-gcm@openssh.com                -- [info] available since OpenSSH 6.2
(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7

# message authentication code algorithms
(mac) hmac-sha2-256-etm@openssh.com         -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@openssh.com         -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@openssh.com              -- [info] available since OpenSSH 6.2

# fingerprints
(fin) ssh-ed25519: SHA256:jYq59AodueeNOHR9JXlB8HpG7Z80NJawaQ0rWccftd8
(fin) ssh-rsa: SHA256:M/6Xq9dc5Lah+pLrK8Sn+HivdlhxWBrjVSlUiGH10BQ

An option to enable them again would be good, but I think a better solution would be to automatically enable them if the server declares it supports kex-strict-s-v00@openssh.com, or if ChaCha20-Poly1305 and CBC ciphers were not declared.

isontheline commented 10 months ago

I agree @unbeatable-101 that I need to improve WebSSH to automatically enable them on conditions you written.

Before I can work on this enhancement, you can now use WebSSH 24.8.1244 : https://testflight.apple.com/join/QSrBK59z

And add the following to your ssh_config in order to enable HMAC-ETM again :

Image

Could you give it a try?

unbeatable-101 commented 10 months ago

Thanks! That works.

naggie commented 7 months ago

This works for me too, testflight not necessary -- thanks. I'm using the default SSH server config on NixOS 23.10, I'm surprised suitable ciphers are not offered -- though I suppose the terrapin attack was known after the major NixOS release.