Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement hmac-sha2-* MAC schemes and SHA2-256 DH group exchange #164

Closed
wants to merge 2 commits into from
Closed

Implement hmac-sha2-* MAC schemes and SHA2-256 DH group exchange #164

wants to merge 2 commits into from

Conversation

@EtiennePerot
Copy link

@EtiennePerot EtiennePerot commented May 1, 2013

As mentioned in #161, this implements some of the stronger MAC schemes introduced as of OpenSSH 5.9: hmac-sha2-512 and hmac-sha2-256. It also adds the hmac-sha2-512-96 and the hmac-sha2-256-96 schemes, which are not implemented in OpenSSH but are defined in IETF's draft for SHA2 MACs in SSH.

Additionally, it implements the Diffie-Hellman group exchange kex algorithm with SHA2-256. OpenSSH requires it to be used if hmac-sha2-* is used.

@bitprophet
Copy link
Member

@bitprophet bitprophet commented Jan 22, 2014

Is there a reason why this was closed? If it's functional I'm still totally open to merging it.

# can't do group-exchange if we don't have a pack of potential primes
pkex = list(self.get_security_options().kex)
pkex.remove('diffie-hellman-group-exchange-sha1')
pkex = filter(lambda x: not x.startswith('diffie-hellman-group-exchange-'), self.get_security_options().kex)

This comment has been minimized.

@lndbrg

lndbrg Jan 22, 2014
Contributor

filter -> generator expression or list comprehension please:

pkex = (kex for kex in self.get_security_options().kex if not kex.startswith('diffie-hellman-group-exchange-')

@lndbrg
Copy link
Contributor

@lndbrg lndbrg commented Jan 22, 2014

I think it was a mistake from @EtiennePerot side. I think we should merge this too.

@lndbrg
Copy link
Contributor

@lndbrg lndbrg commented Jan 22, 2014

@bitprophet it looks like it got closed because he deleted his branch.

@EtiennePerot
Copy link
Author

@EtiennePerot EtiennePerot commented Jan 26, 2014

I closed it because it didn't work :)
I may be recalling wrong, but I think it worked for Paramiko <-> Paramiko and OpenSSH -> Paramiko sessions, but not Paramiko -> OpenSSH (or the other way around...). If anyone feels like picking this up, please do.

@bitprophet
Copy link
Member

@bitprophet bitprophet commented Jan 31, 2014

Aw :( Confirmed, running off this branch (+ a basic debug-logging-enabled fabfile) against a Debian-7-hosted openssh 6.0 daemon, I get the following:

ERROR:paramiko.transport:Exception: Invalid packet blocking
ERROR:paramiko.transport:Traceback (most recent call last):
ERROR:paramiko.transport:  File "/Users/jforcier/Code/oss/paramiko/paramiko/transport.py", line 1569, in run
ERROR:paramiko.transport:    ptype, m = self.packetizer.read_message()
ERROR:paramiko.transport:  File "/Users/jforcier/Code/oss/paramiko/paramiko/packet.py", line 351, in read_message
ERROR:paramiko.transport:    raise SSHException('Invalid packet blocking')
ERROR:paramiko.transport:SSHException: Invalid packet blocking
ERROR:paramiko.transport:
DEBUG:paramiko.transport:Trying SSH agent key <blah>
DEBUG:paramiko.transport:Trying SSH agent key <other blah>

Fatal error: No existing session
Underlying exception:
    No existing session

Have not confirmed that it works targeting Paramiko's server-side behavior yet since that takes a bit more doing than just "run fabric."

Anyway, going to punt on this for now since I don't have time to dig in & figure it out :( but happy to reopen/reconsider if anybody else gets it working. Thanks a lot for breaking ground, @EtiennePerot!

@zamiam69
Copy link
Contributor

@zamiam69 zamiam69 commented Jul 14, 2014

Hi, based on Etienne's and ashb's work I have a version that works with openssh:

zamiam69@9e8f1f0

Anyone interested?

    DEBUG:paramiko.transport:starting thread (client mode): 0x167ff50L
    INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_5.9p1)
    DEBUG:paramiko.transport:kex algos:[u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521', u'diffie-hellman-group-exchange-sha256'] server key:[u'ssh-rsa', u'ssh-dss', u'ecdsa-sha2-nistp256'] client encrypt:[u'aes128-ctr', u'aes256-ctr', u'aes192-ctr'] server encrypt:[u'aes128-ctr', u'aes256-ctr', u'aes192-ctr'] client mac:[u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-ripemd160'] server mac:[u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-ripemd160'] client compress:[u'none', u'zlib@openssh.com'] server compress:[u'none', u'zlib@openssh.com'] client lang:[u''] server lang:[u''] kex follows?False
    DEBUG:paramiko.transport:Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
    DEBUG:paramiko.transport:using kex diffie-hellman-group-exchange-sha256; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha2-256, remote hmac-sha2-256; compression: local none, remote none
    DEBUG:paramiko.transport:Got server p (2048 bits)
    DEBUG:paramiko.transport:Switch to new keys ...
    DEBUG:paramiko.transport:Adding ssh-rsa host key for 10.2.235.10:     b5537451e7591700594b99c15acdf426
    DEBUG:paramiko.transport:Trying key 19912656ed3e4504e74b2ea30361cafd from  ...
    DEBUG:paramiko.transport:userauth is OK
    INFO:paramiko.transport:Authentication (publickey) successful!
    DEBUG:paramiko.transport:[chan 1] Max packet in: 34816 bytes
    DEBUG:paramiko.transport:[chan 1] Max packet out: 32768 bytes
    INFO:paramiko.transport:Secsh channel 1 opened.
    DEBUG:paramiko.transport:[chan 1] Sesch channel 1 request ok
    DEBUG:paramiko.transport:[chan 1] EOF received (1)
    DEBUG:paramiko.transport:[chan 1] EOF sent (1)
[u'total 32\n', u'drwxr-xr-x 4 ubuntu ubuntu 4096 Jul 14 12:26 .\n', u'drwxr-xr-x 3 root   root   4096 Apr  8 14:15 ..\n', u'-rw------- 1 ubuntu ubuntu  217 Jul 14 12:22 .bash_history\n', u'-rw-r--r-- 1 ubuntu ubuntu  220 Apr  3  2012 .bash_logout\n', u'-rw-r--r-- 1 ubuntu ubuntu 3553 Jul  7 11:49 .bashrc\n', u'-rw-rw-r-- 1 ubuntu ubuntu    0 Jul 14 12:26 bla\n', u'drwx------ 2 ubuntu ubuntu 4096 Jul  7 12:45 .cache\n', u'-rw-r--r-- 1 ubuntu ubuntu  675 Apr  3  2012 .profile\n', u'drwx------ 2 ubuntu ubuntu 4096 Jul  7 11:48 .ssh\n', u'-rw-r--r-- 1 ubuntu ubuntu    0 Jul  7 12:47 .sudo_as_admin_successful\n']
    DEBUG:paramiko.transport:Dropping user packet because connection is dead.
    DEBUG:paramiko.transport:Dropping user packet because connection is dead.
@bitprophet
Copy link
Member

@bitprophet bitprophet commented Aug 9, 2014

@zamiam69 If you can make a new PR for that branch I'll gladly review it, thanks!

@zamiam69
Copy link
Contributor

@zamiam69 zamiam69 commented Aug 10, 2014

@bitprophet : Hi, shall l reissue a PR based on #356 or do you have everything required to continue with this problem ?

@bitprophet
Copy link
Member

@bitprophet bitprophet commented Aug 11, 2014

@zamiam69 I think I was just reviewing things out of order, #356 should suffice, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants