ssh 5.3 on CentOS 6 supports macs59

[wojciech-kopras]

Describe the bug
Currently is defined that ssh on CentOS 6 supports only macs from macs53 list. With this settings it's impossible to connect by ssh from CentOS 6 to a server with CentOS 7 -- you can see it, when you compare lists macs53 and macs66.

Expected behavior
In man sshd_config with openssh v. 5.3p1-104.el6_6.1 you can see:

  MACs    Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used in protocol version 2 for data integrity protection.  Multiple             
         algorithms must be comma-separated.  The default is:

               hmac-md5,hmac-sha1,umac-64@openssh.com,
               hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
               hmac-sha2-256,hmac-sha2-512

So macs from macs59 list are supported and could be used.

Actual behavior
Only macs from macs53 list are allowed.

OS / Environment
CentOS 6, openssh 5.3p1-104.el6_6.1

[chris-rock]

@wojciech-kopras Thank you for your report. You observe an interesting point where the baseline is only doing an openssh version guess. We should implement a proper openssh version detection and fallback to os-based guessing only if the openssh version could not be determined.

We implemented a similar logic in https://github.com/dev-sec/chef-ssh-hardening/blob/master/libraries/devsec_ssh.rb#L194-L205

Any help is welcome to make this happen.

[artem-sidorenko]

@chris-rock my new colleague wanted to contribute that, hopefully we will get this in the next time:-)

[wojciech-kopras]

Because of RedHat's backports policy probably there is no other way than conditional assigning of values.

[artem-sidorenko]

@wojciech-kopras do you maybe know if this support was backported by RH at some point or if it's/was a problem on our side for a long time?

[wojciech-kopras]

I don't know. I have noticed that, when I deployed ansible role for ssh and had to solve some connection issues.