search

vx / connectbot

Enhanced version of the popular ConnectBot SSH and telnet client
http://connectbot.vx.sk
Apache License 2.0
193 stars 62 forks source link

Support MAC with SHA-2 #85

Open ghost opened 10 years ago

ghost commented 10 years ago

Since OpenSSH 5.9, SHA-2 is supported, by default now hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512 and hmac-sha2-512-96.

I would like vx connectbot to support at least hmac-sha2-256 and preferably hmac-sha2-512.

For example, with OpenSSH 6 config:

Ciphers         aes256-cbc,aes192-cbc,aes256-ctr,aes192-ctr
MACs            hmac-sha1,hmac-sha2-256,hmac-sha2-512
KexAlgorithms   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

vx connectbot connects with hmac-sha1 aes256-ctr

I do not now with key exchange algorithm is used, it doesn't show in the logs.

ilf commented 10 years ago

I second this, already having requested this "upstream": https://code.google.com/p/connectbot/issues/detail?id=571

gryzor2 commented 9 years ago

Agree, I try to apply security recommandations from bettercrypto.org on my Openssh servers, eg for openssh 6.6;

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

But we don't seem to be able to support these for now with [vx]connectbot. I vote for this one :)

sparkyradar commented 9 years ago

I find myself in this boat too - I used (and loved!) VX Connectbot for some time. But tightening our servers broke VX Connectbot, to the point where I cannot use it any longer. Like those above, our servers are configured with:

Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

Wolf480pl commented 8 years ago

The upstream connectbot/connectbot has this fixed, I believe. They also split the ssh protocol impl into a separate library connectbot/sshlib. Maybe someone could rebase the VX changes on top of that?

gryzor2 commented 8 years ago

I confirm (having just tested) upstream has it fixed in v1.8.6

htgoebel commented 8 years ago

please update the mac's. I'm not able to log into some systems which require SHA-2 based macs.

kaleissin commented 8 years ago

I can no longer use vxconnectbot myself due to the same server hardening as mentioned above.