Friday, November 11, 2016

ssh and support hmac

Be advise that  ssh  and PKI encryption has issues from ciphers to hmac support for both the server and client. Various   ssh-clients can't support all types.

reference  my previous cipher post http://socpuppet.blogspot.com/2013/04/ssh-and-ciphers-tipstricks.html


When it comes to the hmac and the target ssh-server you can check  support by defining the hmac to use.



Within openssh you have to use the -m option and specify the  "hmac" that you want to try. The ssh-server will either accept or reject , and if you use the -v option you can easily find the support versions that it supports. Both  ssh client and server will use the highest mutual support version between the pair.


e.g



Here's an example of  the stronger to weaker hmac types

SHA512
SHA384
SHA256
SHA224
SHA1
MD5
MD4


You can use the free tool to  explore and graft  various message hashing

http://www.freeformatter.com/hmac-generator.html


On most openssh  based sshclients you can use the  -Q option to display your support versions 






Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment