Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot connect to recent OpenBSD SSHD. #72

Open
vext01 opened this issue May 23, 2014 · 4 comments
Open

Cannot connect to recent OpenBSD SSHD. #72

vext01 opened this issue May 23, 2014 · 4 comments

Comments

@vext01
Copy link

vext01 commented May 23, 2014

Hi connecting to my OpenBSD-current server irssi-connectbot hangs and I see the following in the sshd log on the server:

May 23 21:13:39 kryten3 sshd[22038]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

Perhaps OpenBSD has a more strict default that expected?
@vext01
Copy link
Author

vext01 commented Jun 24, 2014

For what it's worth, I can connect using the ssh binary from terminal emulator on my phone, but not using irssi connectbot. Seems like a connectbot issue.

@vext01
Copy link
Author

vext01 commented Jun 25, 2014

I think this is related to this: http://www.openbsd.org/faq/current.html#20140603

Weak or broken hashes, ciphers and modes were removed from the
default sshd(8) configuration. Some clients do not support any of the
methods which are now available by default, so will not be able to connect
without changes. In those cases, the client should be updated or replaced.

I recommend switching to JuiceSSH in the meantime:
https://sonelli.com/

Sadly this replacement is not open source.

@viernullvier
Copy link

Seems to be already fixed in upstream ConnectBot. This fork however still relies exclusively on weak and broken algorithms and should be updated ASAP.

As of now, the following algorithms can be considered strong and secure:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

@nyetwurk
Copy link 

Unable to negotiate with xxxx port 48448: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

almost 6 years later, still no real improvement. Time to abandon this app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vext01 @nyetwurk @viernullvier