thecocce / connectbot

Automatically exported from code.google.com/p/connectbot
Apache License 2.0
0 stars 0 forks source link

support new SHA256-based HMAC transport integrity modes #571

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. configure OpenSSH <=5.9 with "MACs hmac-sha2-512" in sshd_config
2. try connecting with connectbot

What is the expected output? What do you see instead?
expected: connection
instead: hanging on "connecting"

What version of the product are you using
ConnectBot 1.7.1 (v1.7.1 2010.10.08)

What type of system are you trying to connect to?
OpenSSH_5.9p1 and OpenSSH_6.0

Please provide any additional information below.

OpenSSH 5.9 release note sais:

 * Add new SHA256-based HMAC transport integrity modes from
   http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
   These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
   and hmac-sha2-512-96, and are available by default in ssh(1) and
   sshd(8)

http://openssh.org/txt/release-5.9

See the current draft here: 
https://tools.ietf.org/html/draft-dbider-sha2-mac-for-ssh-05

Would be nice to support that.

Thanks, and keep up the good work!

Original issue reported on code.google.com by i...@zeromail.org on 28 Apr 2012 at 11:14

GoogleCodeExporter commented 8 years ago
Not to derail this issue, but: can we extend this report to "please support the 
new Ciphers and KexAlgorithms"? I.e. Debian/stable (7.7 at this moment) ships 
with OpenSSH_6.6.1p1, which supports the following:

Ciphers
3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, 
aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, arcfour128, 
arcfour256, arcfour, blowfish-cbc, cast128-cbc, and 
chacha20-poly1305@openssh.com

MAC
hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
hmac-md5-96-etm@openssh.com,
hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-sha1-96,hmac-md5-96

KexAlgorithms
curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1

Thanks!

Original comment by ckujau on 10 Jan 2015 at 10:29

GoogleCodeExporter commented 8 years ago
I fully agree. OpenSSH 6.5 introduced a bunch of new ciphers and algorithms: 
http://www.openssh.com/txt/release-6.5

See the current list here: 
https://github.com/openssh/openssh-portable/blob/master/sshd_config.5#L734

Since the latest Snowden releases included OpenSSH 
(http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-se
curity-a-1010361.html), there have been HOWTOs on hardening OpenSSH 
configuration: https://stribika.github.io/2015/01/04/secure-secure-shell.html

Unfortunately, it seems ConnectBot development is rather stalled: 
https://github.com/connectbot/connectbot/commits/master

Original comment by i...@zeromail.org on 11 Jan 2015 at 11:59

GoogleCodeExporter commented 8 years ago
I would like to have support for (mobile) access to my servers again, now that 
I've configured them like this:

Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs 
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@o
penssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,u
mac-128@openssh.com

Curently, I get a hang upon trying to connect :-(

Original comment by gordon.p...@gmail.com on 27 Feb 2015 at 10:48

GoogleCodeExporter commented 8 years ago
Can anybody help me figure out what Ciphers/MACs/KexAlgorithms ConnectBot does 
support? Since it looks like this bug is not going anywhere for the moment.

Thanks!

Original comment by gwillen@gmail.com on 21 May 2015 at 4:47

GoogleCodeExporter commented 8 years ago
I used tcpdump to answer my own question ... the parameters connectbot uses 
seem dangerously weak in the modern era. I'm looking for something else to 
switch to at this point.

KexAlgorithms 
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-gr
oup1-sha1
Ciphers 
aes256-ctr,aes192-ctr,aes128-ctr,blowfish-ctr,aes256-cbc,aes192-cbc,aes128-cbc,b
lowfish-cbc,3des-ctr,3des-cbc
MACs hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5

Original comment by gwillen@gmail.com on 21 May 2015 at 5:15

GoogleCodeExporter commented 8 years ago
Since ConnectBot moved to Github, source & issues can be tracked there, e.g.:

https://github.com/connectbot/connectbot/issues/54
#54: connectbot doesn't work with intelligence-agency-proved sshd configuration

Currently supported configurations, at least according to its source:

Supported Ciphers:
https://github.com/connectbot/connectbot/blob/master/src/com/trilead/ssh2/crypto
/cipher/BlockCipherFactory.java#L30

Supported MACs:
https://github.com/connectbot/connectbot/blob/master/src/com/trilead/ssh2/crypto
/digest/MAC.java#L17

Supported KexAlgorithms:
https://github.com/connectbot/connectbot/blob/master/src/com/trilead/ssh2/transp
ort/KexManager.java#L76

Original comment by ckujau on 22 May 2015 at 4:10