I ran an ssh-audit client scan against Cyberduck version 8.4.4 (38366) on Windows and it reported an unknown algorithm:
!!! WARNING: unknown algorithm(s) found!: hmac-sha1-96@openssh.com. Please email the full output above to the maintainer (jtesta@positronsecurity.com), or create a Github issue at <https://github.com/jtesta/ssh-audit/issues>.
The algorithm hmac-sha1-96 is present in ssh2_kexdb.py but not this @openssh.com specific implementation of it.
Something that occurred to me is whether hmac-sha1-96@openssh.com really exists or not... So I searched the OpenSSH Specifications, the OpenSSH source code for BSD, the OpenSSH portable release source code and then a whole bunch of other places... And I found absolutely nothing. Nothing that I would consider to be canonical evidence of this algorithm having been implemented.
It's definitely possible that I've missed something... It's not really like I know my way around the OpenSSH source code.
If hmac-sha1-96@openssh.com does indeed exist, do you know where its existence would be documented?
Hi @jtesta
I ran an ssh-audit client scan against Cyberduck version 8.4.4 (38366) on Windows and it reported an unknown algorithm:
The algorithm
hmac-sha1-96
is present inssh2_kexdb.py
but not this@openssh.com
specific implementation of it.Something that occurred to me is whether
hmac-sha1-96@openssh.com
really exists or not... So I searched the OpenSSH Specifications, the OpenSSH source code for BSD, the OpenSSH portable release source code and then a whole bunch of other places... And I found absolutely nothing. Nothing that I would consider to be canonical evidence of this algorithm having been implemented.It's definitely possible that I've missed something... It's not really like I know my way around the OpenSSH source code.
If
hmac-sha1-96@openssh.com
does indeed exist, do you know where its existence would be documented?