Open ghost opened 10 years ago
I second this, already having requested this "upstream": https://code.google.com/p/connectbot/issues/detail?id=571
Agree, I try to apply security recommandations from bettercrypto.org on my Openssh servers, eg for openssh 6.6;
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
But we don't seem to be able to support these for now with [vx]connectbot. I vote for this one :)
I find myself in this boat too - I used (and loved!) VX Connectbot for some time. But tightening our servers broke VX Connectbot, to the point where I cannot use it any longer. Like those above, our servers are configured with:
Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
The upstream connectbot/connectbot has this fixed, I believe. They also split the ssh protocol impl into a separate library connectbot/sshlib. Maybe someone could rebase the VX changes on top of that?
I confirm (having just tested) upstream has it fixed in v1.8.6
please update the mac's. I'm not able to log into some systems which require SHA-2 based macs.
I can no longer use vxconnectbot myself due to the same server hardening as mentioned above.
Since OpenSSH 5.9, SHA-2 is supported, by default now hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512 and hmac-sha2-512-96.
I would like vx connectbot to support at least hmac-sha2-256 and preferably hmac-sha2-512.
For example, with OpenSSH 6 config:
vx connectbot connects with hmac-sha1 aes256-ctr
I do not now with key exchange algorithm is used, it doesn't show in the logs.