SSH stopped working due to bad MAC spec

[viking60]

I have all my servers configured in ~/.ssh/config

I also use encryption key's and passwordless logins so that my password is not transported over networks.

This works so good that I never notice that some servers are on the other side of the globe.

But today I happily typed ssh viking60-server and got an error message

The message was

Code: Select all

/home/viking/.ssh/config line 2: Bad SSH2 Mac spec 'hmac-md5,hmac-sha1,hmac-ripemd160'.

My ~/.ssh/config has a few line on top where chiphers are specified

Code: Select all

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1,hmac-ripemd160

The solution was to remove ,hmac-ripemd160 from the line - like this:

Code: Select all

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1

After that ssh worked again!

Why this happened? I have no clue maybe some mac encryption is obsolete or changed....

[R_Head]

The Russians did it

[viking60]

Yup - it is always them..

[viking60]

I had a discussion in the Manjaro forum where I questioned the need for ciphers and MACs in ~/.ssh/config since ssh will work without them.
The answer seems to be that the client config file constitutes a list of preferences so if the server offers both weak and strong algorithms; then your list will make it "send" the strongest one (the first in your list).

https://forum.manjaro.org/t/ssh-stopped ... c/34436/10

So my ~/.ssh/config now looks like this:

Code: Select all

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com


That should pick the best alternatives first (or the best alternative the server has to offer).