Packer: Support for openssh.com HMAC/UMAC algorithms for SSH

Created on 27 Oct 2016  路  9Comments  路  Source: hashicorp/packer
  • Packer version: Packer v0.10.1
  • Host platform: OSX 10.11.6

I try to build an AMI where the OpenSSH server can only accept the following MAC alogithms (MACs option):

However, it seems that packer only works with one of the following:

  • hmac-sha2-256
  • hmac-sha1
  • hmac-sha1-96

Error message: 

ssh: handshake failed: ssh: no common algorithm for client to server MAC; client offered: [hmac-sha2-256 hmac-sha1 hmac-sha1-96], server offered: [[email protected] [email protected] [email protected] [email protected]]

As a workaround, I've added hmac-sha2-256 to the list.

+1 communicatossh upstream-bug
Source
picture MiLk

Most helpful comment

We've updated the ssh library to the latest version. Going to close this for now, since there's nothing more we can do. We should continue to track here, though.

Ping me when you have a PR for the other algorithms and we'll merge it in.

picture mwhooker on 11 Feb 2017
👍2

All 9 comments

I'm pretty sure that this is a limitation in the ssh library we are using. I'll check if there is anything we can update, otherwise we probably have to file a issue on that library and/or track a upstream issue requesting support for more hmac's.

rickard-von-essen picture rickard-von-essen on 27 Oct 2016

It seems packer is indeed up-to-date.
https://github.com/golang/crypto/blob/master/ssh/mac.go
https://github.com/mitchellh/packer/blob/master/vendor/golang.org/x/crypto/ssh/mac.go

And I couldn't find anything indicating that the openssl etm algorithms are implemented in go crypto.

MiLk picture MiLk on 27 Oct 2016

The only useful information I found was this issue where they add hmac-sha2-256.

rickard-von-essen picture rickard-von-essen on 27 Oct 2016

I quickly look at the source code of go crypto and openssh portable, but it seems the main algorithm need to be changed to do Encrypt-then-MAC.

The algorithms seem to be here:
https://github.com/openssh/openssh-portable/blob/ca04de83f210959ad2ed870a30ba1732c3ae00e3/packet.c
https://github.com/golang/crypto/blob/master/ssh/cipher.go

Being something critical, I feel it's better to report the issue upstream, but I'm not familiar with the way it works for the golang ecosystem. I was hoping someone working on Packer or at Hashicorp could help with that.

MiLk picture MiLk on 28 Oct 2016

I have filed a issue on Go, see https://github.com/golang/go/issues/17676. Please subscribe to that.

rickard-von-essen picture rickard-von-essen on 31 Oct 2016

Thank you!

MiLk picture MiLk on 31 Oct 2016

Quick update on that issue:

MiLk picture MiLk on 9 Feb 2017
2

We've updated the ssh library to the latest version. Going to close this for now, since there's nothing more we can do. We should continue to track here, though.

Ping me when you have a PR for the other algorithms and we'll merge it in.

mwhooker picture mwhooker on 11 Feb 2017
👍2

It seems the other algorithms won't be added. Thank you for having updated the ssh library.

MiLk picture MiLk on 11 Feb 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shashanksinha89 picture shashanksinha89  路  3Comments
mvermaes picture mvermaes  路  3Comments
znerd picture znerd  路  3Comments
wduncanfraser picture wduncanfraser  路  3Comments
shantanugadgil picture shantanugadgil  路  3Comments