Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Do not underestimate the value of print statements for debugging.

devel / comp.security.ssh / Couldn't agree a client-to-server MAC (available: hmac-sha2-512)

SubjectAuthor
* Couldn't agree a client-to-server MAC (available: hmac-sha2-512)Magicman8508
`* Re: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)Simon Tatham
 `* Re: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)Magicman8508
  `- Re: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)Austin Harsh

1
Couldn't agree a client-to-server MAC (available: hmac-sha2-512)

<af3bea9d-a050-4810-b5c2-d88cb698dca2n@googlegroups.com>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=295&group=comp.security.ssh#295

  copy link   Newsgroups: comp.security.ssh
X-Received: by 2002:a05:620a:149a:b0:746:7c34:59fb with SMTP id w26-20020a05620a149a00b007467c3459fbmr843840qkj.3.1682063483998;
Fri, 21 Apr 2023 00:51:23 -0700 (PDT)
X-Received: by 2002:aca:ef06:0:b0:38e:76f1:c04f with SMTP id
n6-20020acaef06000000b0038e76f1c04fmr1094988oih.9.1682063483640; Fri, 21 Apr
2023 00:51:23 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Fri, 21 Apr 2023 00:51:23 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=83.136.79.196; posting-account=3qLrzwoAAAAlM6NqnbRyi-1RTxr-HBQd
NNTP-Posting-Host: 83.136.79.196
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <af3bea9d-a050-4810-b5c2-d88cb698dca2n@googlegroups.com>
Subject: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)
From: magicman...@gmail.com (Magicman8508)
Injection-Date: Fri, 21 Apr 2023 07:51:23 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 1174
 by: Magicman8508 - Fri, 21 Apr 2023 07:51 UTC

I get this error when i try to connect to some devices. Any way i can fix this? I have tried the latest release and also the current nightly build.

Thanks

Re: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)

<81354slabm.fsf@thyestes.tartarus.org>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=296&group=comp.security.ssh#296

  copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!2.eu.feeder.erje.net!feeder.erje.net!feeds.news.ox.ac.uk!news.ox.ac.uk!nntp-feed.chiark.greenend.org.uk!ewrotcd!.POSTED.chiark.greenend.org.uk!not-for-mail
From: ana...@pobox.com (Simon Tatham)
Newsgroups: comp.security.ssh
Subject: Re: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)
Date: Sat, 22 Apr 2023 07:06:53 +0100
Message-ID: <81354slabm.fsf@thyestes.tartarus.org>
References: <af3bea9d-a050-4810-b5c2-d88cb698dca2n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: chiark.greenend.org.uk; posting-host="chiark.greenend.org.uk:212.13.197.229";
logging-data="9218"; mail-complaints-to="abuse@chiark.greenend.org.uk"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
Cancel-Lock: sha1:iq/4jcteJUil9tiBU0aks5elRX0=
Originator: simon@tunnel.thyestes.tartarus.org ([172.31.80.4])
 by: Simon Tatham - Sat, 22 Apr 2023 06:06 UTC

Magicman8508 <magicman8508@gmail.com> writes:

> I get this error when i try to connect to some devices. Any way i can
> fix this? I have tried the latest release and also the current nightly
> build.

This is the first I've heard of any server _only_ speaking HMAC-SHA-512.
It's not really a recommended configuration, because HMAC-SHA-512 is
specified as OPTIONAL, which does mean there's a risk of clients not
supporting it. What is this server, anyway?

I've added HMAC-SHA-512 to PuTTY. Try today's nightly build.

--
import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1(
m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r
and s%q!=0 and m)(12342649995480866419, 2278082317364501, 1670428356600652640,
5398151833726432125, 645223105888478, 1916678356240619, "<anakin@pobox.com>"))

Re: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)

<aeb354e6-f542-418d-9c06-ee94c9a0fd1dn@googlegroups.com>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=298&group=comp.security.ssh#298

  copy link   Newsgroups: comp.security.ssh
X-Received: by 2002:a05:622a:1aaa:b0:3e3:7dd2:47fc with SMTP id s42-20020a05622a1aaa00b003e37dd247fcmr4990207qtc.10.1682329493269;
Mon, 24 Apr 2023 02:44:53 -0700 (PDT)
X-Received: by 2002:a05:6871:6b83:b0:184:4c39:fe30 with SMTP id
zh3-20020a0568716b8300b001844c39fe30mr4034647oab.9.1682329492964; Mon, 24 Apr
2023 02:44:52 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Mon, 24 Apr 2023 02:44:52 -0700 (PDT)
In-Reply-To: <81354slabm.fsf@thyestes.tartarus.org>
Injection-Info: google-groups.googlegroups.com; posting-host=83.136.79.196; posting-account=3qLrzwoAAAAlM6NqnbRyi-1RTxr-HBQd
NNTP-Posting-Host: 83.136.79.196
References: <af3bea9d-a050-4810-b5c2-d88cb698dca2n@googlegroups.com> <81354slabm.fsf@thyestes.tartarus.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <aeb354e6-f542-418d-9c06-ee94c9a0fd1dn@googlegroups.com>
Subject: Re: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)
From: magicman...@gmail.com (Magicman8508)
Injection-Date: Mon, 24 Apr 2023 09:44:53 +0000
Content-Type: text/plain; charset="UTF-8"
 by: Magicman8508 - Mon, 24 Apr 2023 09:44 UTC

I just tried the recent nightly version and it works! Perfect. Many thanks. Didn't thought it could be resolved so fast.

In my case it affects a cisco 9800 series. Not sure why it is configured this way. Maybe a company policy only allows hmac-sha2-512.

Thanks again.
Have a great day.

Re: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)

<732ca370-0f6a-46c0-ad12-a4fd91e84ca3n@googlegroups.com>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=302&group=comp.security.ssh#302

  copy link   Newsgroups: comp.security.ssh
X-Received: by 2002:a05:620a:4628:b0:75c:ada7:b8cc with SMTP id br40-20020a05620a462800b0075cada7b8ccmr4341637qkb.7.1685753830886;
Fri, 02 Jun 2023 17:57:10 -0700 (PDT)
X-Received: by 2002:a05:6870:5b0b:b0:19f:3568:5f40 with SMTP id
ds11-20020a0568705b0b00b0019f35685f40mr1142208oab.10.1685753830570; Fri, 02
Jun 2023 17:57:10 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!newsfeed.hasname.com!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Fri, 2 Jun 2023 17:57:10 -0700 (PDT)
In-Reply-To: <aeb354e6-f542-418d-9c06-ee94c9a0fd1dn@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=173.244.209.63; posting-account=UcgVsgoAAADVmMkmW9577zmjYSaDETaB
NNTP-Posting-Host: 173.244.209.63
References: <af3bea9d-a050-4810-b5c2-d88cb698dca2n@googlegroups.com>
<81354slabm.fsf@thyestes.tartarus.org> <aeb354e6-f542-418d-9c06-ee94c9a0fd1dn@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <732ca370-0f6a-46c0-ad12-a4fd91e84ca3n@googlegroups.com>
Subject: Re: Couldn't agree a client-to-server MAC (available: hmac-sha2-512)
From: harsh.au...@gmail.com (Austin Harsh)
Injection-Date: Sat, 03 Jun 2023 00:57:10 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2177
 by: Austin Harsh - Sat, 3 Jun 2023 00:57 UTC

On Monday, April 24, 2023 at 9:44:54 PM UTC+12, Magicman8508 wrote:
> I just tried the recent nightly version and it works! Perfect. Many thanks. Didn't thought it could be resolved so fast.
>
> In my case it affects a cisco 9800 series. Not sure why it is configured this way. Maybe a company policy only allows hmac-sha2-512.
>
> Thanks again.
> Have a great day.

In my case this is based on the new US Government CNSA V2.0 policy (this is what is replacing FIPS stuff, kind of). CNSA V2.0 states you must use HMAC-SHA2-384 or HMAC-SHA2-512. Cisco switches do not support the 384 variant, so you have to use 512. In the future (~5 years) PuTTY will eventually need to support a new hashing algorithm called CRYSTALS-Kyber. https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor