Unknown Algorithm: hmac-sha1-96@openssh.com

[thecliguy]

Hi @jtesta

I ran an ssh-audit client scan against Cyberduck version 8.4.4 (38366) on Windows and it reported an unknown algorithm:

!!! WARNING: unknown algorithm(s) found!: hmac-sha1-96@openssh.com.  Please email the full output above to the maintainer (jtesta@positronsecurity.com), or create a Github issue at <https://github.com/jtesta/ssh-audit/issues>.

The algorithm hmac-sha1-96 is present in ssh2_kexdb.py but not this @openssh.com specific implementation of it.

Something that occurred to me is whether hmac-sha1-96@openssh.com really exists or not... So I searched the OpenSSH Specifications, the OpenSSH source code for BSD, the OpenSSH portable release source code and then a whole bunch of other places... And I found absolutely nothing. Nothing that I would consider to be canonical evidence of this algorithm having been implemented.

It's definitely possible that I've missed something... It's not really like I know my way around the OpenSSH source code.

If hmac-sha1-96@openssh.com does indeed exist, do you know where its existence would be documented?

[egberts]

It is a Cisco thing. Was created to deal with existing (but broken) IPSec used within Cisco products.

https://community.cisco.com/t5/other-security-subjects/difference-between-mac-algorithms-hmac-sha1-and-hmac-sha1-96/td-p/4046166

use hmac-sha1-128, not hmac-sha1-96.

[jtesta]

Thanks for reporting this, @thecliguy ! I've committed this to master.