1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • Couldn't agree a client-to-server MAC (available: hmac-sha2-512)

    From Magicman8508@21:1/5 to All on Fri Apr 21 00:51:23 2023
    I get this error when i try to connect to some devices. Any way i can fix this? I have tried the latest release and also the current nightly build.

    Thanks

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Tatham@21:1/5 to [email protected] on Sat Apr 22 07:06:53 2023
    Magicman8508 <[email protected]> writes:

    I get this error when i try to connect to some devices. Any way i can
    fix this? I have tried the latest release and also the current nightly
    build.

    This is the first I've heard of any server _only_ speaking HMAC-SHA-512.
    It's not really a recommended configuration, because HMAC-SHA-512 is
    specified as OPTIONAL, which does mean there's a risk of clients not
    supporting it. What is this server, anyway?

    I've added HMAC-SHA-512 to PuTTY. Try today's nightly build.

    --
    import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1( m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r and s%q!=0 and m)(12342649995480866419, 2278082317364501, 1670428356600652640, 5398151833726432125, 645223105888478, 1916678356240619, "<[email protected]>"))

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Magicman8508@21:1/5 to All on Mon Apr 24 02:44:52 2023
    I just tried the recent nightly version and it works! Perfect. Many thanks. Didn't thought it could be resolved so fast.

    In my case it affects a cisco 9800 series. Not sure why it is configured this way. Maybe a company policy only allows hmac-sha2-512.

    Thanks again.
    Have a great day.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Austin Harsh@21:1/5 to All on Fri Jun 2 17:57:10 2023
    On Monday, April 24, 2023 at 9:44:54 PM UTC+12, Magicman8508 wrote:
    I just tried the recent nightly version and it works! Perfect. Many thanks. Didn't thought it could be resolved so fast.

    In my case it affects a cisco 9800 series. Not sure why it is configured this way. Maybe a company policy only allows hmac-sha2-512.

    Thanks again.
    Have a great day.

    In my case this is based on the new US Government CNSA V2.0 policy (this is what is replacing FIPS stuff, kind of). CNSA V2.0 states you must use HMAC-SHA2-384 or HMAC-SHA2-512. Cisco switches do not support the 384 variant, so you have to use 512. In
    the future (~5 years) PuTTY will eventually need to support a new hashing algorithm called CRYSTALS-Kyber. https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)