Re: [Twisted-Python] hmac-sha2-512 - Corrupted MAC on input with OpenSSH
hi, Yes, you are right. ssh -vv -oKexAlgorithms=diffie-hellman-group14-sha1 -oMACs=hmac-sha2-512 user@localhost against a Twisted ssh server, and i saw the problem. The reason is that twisted(16.6.0) is not supported the diffie-hellman-group14-sha1 and ecdh-sha512-nistp512 key exchange algorithms well, right ? -- JianChen At 2016-12-29 16:06:55, "Craig Rodrigues" <rodrigc@crodrigues.org> wrote: Abhishek Choudhary pointed out to me that you can reproduce this problem easily, even with OpenSSH client. Look at https://twistedmatrix.com/trac/ticket/8258 and do: ssh -vv -oKexAlgorithms=diffie-hellman-group14-sha1 -oMACs=hmac-sha2-512 user@localhost against a Twisted ssh server, and you will see the problem. -- Craig On Thu, Dec 29, 2016 at 1:17 AM, 陈健 <chenjianhappy2008@126.com> wrote: hi, Yes, your understanding is correct. I must set the hmac-sha2-512 option unable with SecureCRT, it will be OK. I searched Google for a long time, still did not find the any clues! Twisted Server + OpenSSH client == WORKS Twisted Server + Xshell client == WORKS OpenSSH Server + SecureCRT client == WORKS Twisted Server + SecureCRT client == FAIL -- JianChen 在 2016-12-29 12:35:57,"Craig Rodrigues" <rodrigc@crodrigues.org> 写道: Hi, Is this what you are saying: Twisted Server + OpenSSH client == WORKS Twisted Server + Xshell client == WORKS OpenSSH Server + SecureCRT client == WORKS Twisted Server + SecureCRT client == FAIL ?? I don't have SecureCRT client, so don't know the solution to this problem. You might want to try searching the SecureCRT site and see if there are any clues there: https://goo.gl/UkKZvI -- Craig On Wed, Dec 28, 2016 at 9:39 PM, 陈健 <chenjianhappy2008@126.com> wrote: hi: Oh, I'm sorry, It is my server-side code has bugs with Twisted(16.6.0) Conch, that i have fixed it . But 'Message Authentication Code did not verify (packet #3)' error will occurs with the SecureCRT(8.0.0 or 7.3.4) client. If I connect OpenSSH_5.3p1 (or OpenSSH_6.6.1p1 ) sshd server through the SecureCRT client, it is fine. Of course, if I connect Twisted SSH server by using the Xshell client with hmac-sha2-512 options or “ssh -m hmac-sha2-512”,it is OK. I do not know if it is SecureCRT client bug or twisted problem. http://stackoverflow.com/questions/41296412/securecrt-hmac-sha2-512-message-...
Hi, Well in Twisted checked out directly from GitHub, this seems to work: ssh -vv -oKexAlgorithms=ecdh-sha2-nistp256 -oMACs=hmac-sha2-512 user@localhost and these fail: ssh -vv -oKexAlgorithms=diffie-hellman-group1-sha1 -oMACs=hmac-sha2-512 user@localhost ssh -vv -oKexAlgorithms=diffie-hellman-group14-sha1 -oMACs=hmac-sha2-512 user@localhost ssh -vv -oKexAlgorithms=ecdh-sha2-nistp384 -oMACs=hmac-sha2-512 user@localhost ssh -vv -oKexAlgorithms=ecdh-sha2-nistp521 -oMACs=hmac-sha2-512 user@localhost -- Craig On Thu, Dec 29, 2016 at 4:47 AM, 陈健 <chenjianhappy2008@126.com> wrote:
hi, Yes, you are right. ssh -vv -oKexAlgorithms=diffie-hellman-group14-sha1 -oMACs=hmac-sha2-512 user@localhost against a Twisted ssh server, and i saw the problem. The reason is that twisted(16.6.0) is not supported the diffie-hellman-group14-sha1 and ecdh-sha512-nistp512 key exchange algorithms well, right ?
--
JianChen
At 2016-12-29 16:06:55, "Craig Rodrigues" <rodrigc@crodrigues.org> wrote:
Abhishek Choudhary pointed out to me that you can reproduce this problem easily, even with OpenSSH client. Look at https://twistedmatrix.com/trac/ticket/8258
and do:
ssh -vv -oKexAlgorithms=diffie-hellman-group14-sha1 -oMACs=hmac-sha2-512 user@localhost
against a Twisted ssh server, and you will see the problem.
--
Craig
On Thu, Dec 29, 2016 at 1:17 AM, 陈健 <chenjianhappy2008@126.com> wrote:
hi, Yes, your understanding is correct. I must set the hmac-sha2-512 option unable with SecureCRT, it will be OK. I searched Google for a long time, still did not find the any clues!
Twisted Server + OpenSSH client == WORKS Twisted Server + Xshell client == WORKS OpenSSH Server + SecureCRT client == WORKS Twisted Server + SecureCRT client == FAIL
-- JianChen
在 2016-12-29 12:35:57,"Craig Rodrigues" <rodrigc@crodrigues.org> 写道:
Hi,
Is this what you are saying:
Twisted Server + OpenSSH client == WORKS Twisted Server + Xshell client == WORKS OpenSSH Server + SecureCRT client == WORKS Twisted Server + SecureCRT client == FAIL
??
I don't have SecureCRT client, so don't know the solution to this problem.
You might want to try searching the SecureCRT site and see if there are any clues there:
-- Craig
On Wed, Dec 28, 2016 at 9:39 PM, 陈健 <chenjianhappy2008@126.com> wrote:
hi: Oh, I'm sorry, It is my server-side code has bugs with Twisted(16.6.0) Conch, that i have fixed it . But 'Message Authentication Code did not verify (packet #3)' error will occurs with the SecureCRT(8.0.0 or 7.3.4) client. If I connect OpenSSH_5.3p1 (or OpenSSH_6.6.1p1 ) sshd server through the SecureCRT client, it is fine. Of course, if I connect Twisted SSH server by using the Xshell client with hmac-sha2-512 options or “ssh -m hmac-sha2-512”,it is OK. I do not know if it is SecureCRT client bug or twisted problem. *http://stackoverflow.com/questions/41296412/securecrt-hmac-sha2-512-message-... <http://stackoverflow.com/questions/41296412/securecrt-hmac-sha2-512-message-authentication-code-did-not-verify-packet-3>*
participants (2)
-
Craig Rodrigues -
陈健