line 56: Bad SSH2 mac spec

[snakelab]

Distributor ID: Debian
Description: Debian GNU/Linux 8.7 (jessie)
Release: 8.7
Codename: jessie

I get the following error at running this role:

[...]  line 56: Bad SSH2 mac spec 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

Any hint on this?

thanks

[snakelab]

ping

[rndmh3ro]

Never heard of this before.
Travis says its fine: https://travis-ci.org/dev-sec/ansible-ssh-hardening/jobs/289021694

I'll have to take a closer look.

Can you try to single out which mac is "bad" by removing them here: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/defaults/main.yml ?

[HaleTom]

 * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.

https://www.openssh.com/txt/release-7.6

[rndmh3ro]

That seems to explain it, yes.
As a workaround, delete the MACs https://github.com/dev-sec/ansible-ssh-hardening/blob/master/defaults/main.yml#L141 and https://github.com/dev-sec/ansible-ssh-hardening/blob/master/defaults/main.yml#L145 or overwrite the list.

For fixing this, that's another, slightly bigger problem. Right now we're setting the MACs, Ciphers and KEX according to the operation system used.
This should be changed to check for the openssh version instead. The sshd-version is already checked for and registered in the variable sshd_version. So one should only have to change the template.
Or even better: set the variables for MACS, Ciphers and KEX in the playbook and just use it in the template, without any if-else clauses.

[francoisbeaulieu]

One particularity that I noticed, at least on MacOS is that it complains even if the offending MAC entry is for a different host definition in ssh_config than the one git is currently connecting to. Seems the test is a little too loose in detecting the line in the config file.