Add hmac-sha2-256 to the list of supported macs #341

wants to merge 2 commits into


None yet

4 participants

ashb commented May 30, 2014

Similar to the work in #161 and #164 but simpler.

I have tested this with a demos/ and the following ssh command line on OSX:

ssh -l robey -o 'MACs=hmac-sha2-256' -vvv -p 2200 localhost

It connects and auths okay.

I tried to add hmac-sha2-512 as well but this has kex problems that I didn't
want to dig into here


Coverage Status

Coverage decreased (-0.06%) when pulling f355ba0 on ashb:hmac-sha2-sha256 into e811e71 on paramiko:master.


👍 I was wondering why I wasn't able to use Paramiko with my OpenSSH servers. Appears Paramiko is lacking support for "better" MACs, since I've restricted this to SHA-2 (and AES-GCM for more recent OpenSSH servers). Would be great to have support for SSH servers with older MACs disabled as a security policy.

E.g. OpenSSH 6.0+ with the following set in sshd_config:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha2-256,hmac-sha2-512

Thanks! Feels related to #161 too. Labeling for followup.


And then I find #356 which extends this even further. Closing/consolidating, will make sure to give credit in changelog however. Thanks!

@bitprophet bitprophet closed this Aug 9, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment