Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssh 5.3 on CentOS 6 supports macs59 #125

Open
wojciech-kopras opened this issue Mar 28, 2019 · 5 comments · May be fixed by #129
Open

ssh 5.3 on CentOS 6 supports macs59 #125

wojciech-kopras opened this issue Mar 28, 2019 · 5 comments · May be fixed by #129

Comments

@wojciech-kopras
Copy link

Describe the bug
Currently is defined that ssh on CentOS 6 supports only macs from macs53 list. With this settings it's impossible to connect by ssh from CentOS 6 to a server with CentOS 7 -- you can see it, when you compare lists macs53 and macs66.

Expected behavior
In man sshd_config with openssh v. 5.3p1-104.el6_6.1 you can see:

  MACs    Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used in protocol version 2 for data integrity protection.  Multiple             
         algorithms must be comma-separated.  The default is:

               hmac-md5,hmac-sha1,[email protected],
               hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
               hmac-sha2-256,hmac-sha2-512

So macs from macs59 list are supported and could be used.

Actual behavior
Only macs from macs53 list are allowed.

OS / Environment
CentOS 6, openssh 5.3p1-104.el6_6.1

@chris-rock
Copy link
Member

@wojciech-kopras Thank you for your report. You observe an interesting point where the baseline is only doing an openssh version guess. We should implement a proper openssh version detection and fallback to os-based guessing only if the openssh version could not be determined.

We implemented a similar logic in https://github.com/dev-sec/chef-ssh-hardening/blob/master/libraries/devsec_ssh.rb#L194-L205

Any help is welcome to make this happen.

@artem-sidorenko
Copy link
Member

@chris-rock my new colleague wanted to contribute that, hopefully we will get this in the next time:-)

@wojciech-kopras wojciech-kopras linked a pull request May 8, 2019 that will close this issue
@wojciech-kopras
Copy link
Author

Because of RedHat's backports policy probably there is no other way than conditional assigning of values.

@artem-sidorenko
Copy link
Member

@wojciech-kopras do you maybe know if this support was backported by RH at some point or if it's/was a problem on our side for a long time?

@wojciech-kopras
Copy link
Author

I don't know. I have noticed that, when I deployed ansible role for ssh and had to solve some connection issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants