Hello list,
To my astonishment the openssh versions on both C6 and C7 will by
default negotiate an MD5 HMAC.
C6 client, C7 server:
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
C7 client & server:
debug2: mac_setup: setup hmac-md5-etm@xxxxxxxxxxx
debug1: kex: server->client aes128-ctr hmac-md5-etm@xxxxxxxxxxx none
debug2: mac_setup: setup hmac-md5-etm@xxxxxxxxxxx
debug1: kex: client->server aes128-ctr hmac-md5-etm@xxxxxxxxxxx none
I reported this issue upstream:
https://bugzilla.redhat.com/show_bug.cgi?id=1417263
https://bugzilla.redhat.com/show_bug.cgi?id=1417264
You might want to add
MACs hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-512,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-sha1-etm@xxxxxxxxxxx,hmac-sha1,hmac-ripemd160-etm@xxxxxxxxxxx,hmac-ripemd160@xxxxxxxxxxx,hmac-ripemd160,umac-128@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha1-96-etm@xxxxxxxxxxx,hmac-sha1-96,umac-64-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx
to your C7 ssh_config and sshd_config, or
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,hmac-sha1-96
to your C6 ssh_config and sshd_config.
You might also want to prune your cipher list to exclude RC4 = arcfour
ciphers with the option "Ciphers". Compare
http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
