[Twisted-Python] hmac-sha2-512 - Corrupted MAC on input with OpenSSH
Craig Rodrigues
rodrigc at crodrigues.org
Thu Dec 29 03:30:19 MST 2016
Hi,
Well in Twisted checked out directly from GitHub, this seems to work:
ssh -vv -oKexAlgorithms=ecdh-sha2-nistp256 -oMACs=hmac-sha2-512
user at localhost
and these fail:
ssh -vv -oKexAlgorithms=diffie-hellman-group1-sha1 -oMACs=hmac-sha2-512
user at localhost
ssh -vv -oKexAlgorithms=diffie-hellman-group14-sha1 -oMACs=hmac-sha2-512
user at localhost
ssh -vv -oKexAlgorithms=ecdh-sha2-nistp384 -oMACs=hmac-sha2-512
user at localhost
ssh -vv -oKexAlgorithms=ecdh-sha2-nistp521 -oMACs=hmac-sha2-512
user at localhost
--
Craig
On Thu, Dec 29, 2016 at 4:47 AM, 陈健 <chenjianhappy2008 at 126.com> wrote:
> hi,
> Yes, you are right. ssh -vv -oKexAlgorithms=diffie-hellman-group14-sha1
> -oMACs=hmac-sha2-512 user at localhost
> against a Twisted ssh server, and i saw the problem. The reason is that
> twisted(16.6.0) is not supported the diffie-hellman-group14-sha1 and ecdh-sha512-nistp512
> key exchange algorithms well, right ?
>
> --
>
> JianChen
>
>
> At 2016-12-29 16:06:55, "Craig Rodrigues" <rodrigc at crodrigues.org> wrote:
>
> Abhishek Choudhary pointed out to me that you can reproduce this problem
> easily, even with OpenSSH client.
> Look at https://twistedmatrix.com/trac/ticket/8258
>
> and do:
>
> ssh -vv -oKexAlgorithms=diffie-hellman-group14-sha1 -oMACs=hmac-sha2-512
> user at localhost
>
> against a Twisted ssh server, and you will see the problem.
>
>
> --
>
> Craig
>
>
>
> On Thu, Dec 29, 2016 at 1:17 AM, 陈健 <chenjianhappy2008 at 126.com> wrote:
>
>>
>> hi,
>> Yes, your understanding is correct. I must set the hmac-sha2-512
>> option unable with SecureCRT, it will be OK. I searched Google for a long
>> time, still did not find the any clues!
>>
>> Twisted Server + OpenSSH client == WORKS
>> Twisted Server + Xshell client == WORKS
>> OpenSSH Server + SecureCRT client == WORKS
>> Twisted Server + SecureCRT client == FAIL
>>
>> --
>> JianChen
>>
>>
>> 在 2016-12-29 12:35:57,"Craig Rodrigues" <rodrigc at crodrigues.org> 写道:
>>
>> Hi,
>>
>> Is this what you are saying:
>>
>> Twisted Server + OpenSSH client == WORKS
>> Twisted Server + Xshell client == WORKS
>> OpenSSH Server + SecureCRT client == WORKS
>> Twisted Server + SecureCRT client == FAIL
>>
>> ??
>>
>> I don't have SecureCRT client, so don't know the solution to this problem.
>>
>> You might want to try searching the SecureCRT site and see if there are
>> any clues
>> there:
>>
>> https://goo.gl/UkKZvI
>>
>> --
>> Craig
>>
>> On Wed, Dec 28, 2016 at 9:39 PM, 陈健 <chenjianhappy2008 at 126.com> wrote:
>>
>>>
>>>
>>> hi:
>>> Oh, I'm sorry, It is my server-side code has bugs with
>>> Twisted(16.6.0) Conch, that i have fixed it . But 'Message
>>> Authentication Code did not verify (packet #3)' error will occurs with
>>> the SecureCRT(8.0.0 or 7.3.4) client. If I connect OpenSSH_5.3p1 (or
>>> OpenSSH_6.6.1p1 ) sshd server through the SecureCRT client, it is fine.
>>> Of course, if I connect Twisted SSH server by using the Xshell client with
>>> hmac-sha2-512 options or “ssh -m hmac-sha2-512”,it is OK. I do not
>>> know if it is SecureCRT client bug or twisted problem. *http://stackoverflow.com/questions/41296412/securecrt-hmac-sha2-512-message-authentication-code-did-not-verify-packet-3
>>> <http://stackoverflow.com/questions/41296412/securecrt-hmac-sha2-512-message-authentication-code-did-not-verify-packet-3>*
>>>
>>>
>>
>>
>>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20161229/a7835226/attachment-0002.html>
More information about the Twisted-Python
mailing list