Hello list,
To my astonishment the openssh versions on both C6 and C7 will by default negotiate an MD5 HMAC.
C6 client, C7 server:
debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none
C7 client & server:
debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
I reported this issue upstream: https://bugzilla.redhat.com/show_bug.cgi?id=1417263 https://bugzilla.redhat.com/show_bug.cgi?id=1417264
You might want to add
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1-etm@openssh.com,hmac-sha1,hmac-ripemd160-etm@openssh.com,hmac-ripemd160@openssh.com,hmac-ripemd160,umac-128@openssh.com,umac-128-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1-96,umac-64-etm@openssh.com,umac-64@openssh.com
to your C7 ssh_config and sshd_config, or
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,hmac-sha1-96
to your C6 ssh_config and sshd_config.
You might also want to prune your cipher list to exclude RC4 = arcfour ciphers with the option "Ciphers". Compare http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/
Regards, Leonard.