pro.webssh.net icon indicating copy to clipboard operation
pro.webssh.net copied to clipboard
verified publisher icon isontheline

Connection failure with Dropbear (OpenWrt) - WebSSH prefers AES-CTR but rejects available MACs

Open mobuch opened this issue 1 month ago • 4 comments

Please note below summary has been generated by LLM based on real-time debugging using macOS terminal and logs from the WebSSH

Summary

The WebSSH client (iOS/macOS) fails to establish a connection with standard OpenWrt servers running Dropbear v2022.82 unless the "Allow weak algorithms" option is manually enabled.

The root cause appears to be a flaw in cipher negotiation logic: The client prioritizes aes128-ctr over the available and more secure [email protected]. Because AES-CTR requires a separate MAC algorithm, and the client seemingly rejects standard non-EtM MACs (like hmac-sha2-256 offered by Dropbear), the handshake fails with "No matching mac algorithms supported".

MacOS terminal successfully negotiates chacha20-poly1305 (which has implicit MAC), bypassing this issue entirely.

Steps to reproduce

  1. Setup a standard OpenWrt router (v23.05 or newer) with default Dropbear SSH configuration (Dropbear v2022.82).
  2. Ensure the Dropbear server offers [email protected] and hmac-sha2-256 (verify with nmap --script ssh2-enum-algos).
  3. In WebSSH app (default settings, "Allow weak algorithms" OFF), try to connect to the router.
  4. Error is thrown: "Unable to agree upon client-to-server MAC algorithm" / "No matching mac algorithms supported".
  5. Enable "Allow weak algorithms" -> connection succeeds (likely falling back to SHA1 or accepting non-EtM SHA2).

Diagnostic Data & Logs

The following analysis is based on real-time debugging using macOS terminal and verbose logs from the WebSSH engine. Private data (IPs, paths, fingerprints) has been redacted.

  1. Server Capabilities Audit Command: nmap --script ssh2-enum-algos -p 22 <ROUTER_IP> Result: Confirmed server supports modern algorithms (Ed25519, ChaCha20) but lacks EtM MACs.
22/tcp open  ssh
| ssh2-enum-algos: 
|   kex_algorithms: (6)
|       curve25519-sha256
|       ...
|   server_host_key_algorithms: (3)
|       ssh-ed25519
|       rsa-sha2-256
|       ssh-rsa
|   encryption_algorithms: (3)
|       [email protected]
|       aes128-ctr
|       aes256-ctr
|   mac_algorithms: (2)
|       hmac-sha1
|       hmac-sha2-256
  1. Reference Client Behavior (Success) Command: ssh -vvv root@<ROUTER_IP> (OpenSSH 9.9p2) Result: Successful connection using ChaCha20 (implicit MAC), bypassing the MAC negotiation issue.
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,...
debug2: ciphers ctos: [email protected],aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1,hmac-sha2-256
...
debug1: Host '<ROUTER_IP>' is known and matches the ED25519 host key.
debug1: Server host key: ssh-ed25519 SHA256:<FINGERPRINT_REDACTED>
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
  1. WebSSH Failure Log (Snippet) Evidence of suboptimal cipher selection: The client sees chacha20-poly1305 but selects aes128-ctr, subsequently failing on MAC negotiation.
  <hostname><ROUTER_IP></hostname>
  <serverKex>
    <EncCS>
      <algorithm>[email protected]</algorithm>
      <algorithm>aes128-ctr</algorithm>
      <algorithm>aes256-ctr</algorithm>
    </EncCS>
    <MacCS>
      <algorithm>hmac-sha1</algorithm>
      <algorithm>hmac-sha2-256</algorithm>
    </MacCS>
    
    <!-- The Issue: Client chooses AES instead of ChaCha20 -->
    <ChosenIncomingEncryption>aes128-ctr</ChosenIncomingEncryption>
    <ChosenOutgoingEncryption>aes128-ctr</ChosenOutgoingEncryption>
    
    <!-- The Result: Fatal error on MACs -->
    <error>No matching mac algorithms supported.</error>
    <error>Unable to agree upon server-to-client MAC algorithm.</error>
  </serverKex>
</connectInner>

mobuch avatar Dec 06 '25 16:12 mobuch

Thank you for your feedback! 🙏 Arnaud (@isontheline) will respond within a few hours. In the meantime, please feel free to add any additional information that may help us resolve or improve WebSSH.

github-actions[bot] avatar Dec 06 '25 16:12 github-actions[bot]

You can enable or disable MAC algorithms using the MACs keyword in your ssh_config file.

For example, to enable the hmac-sha2-256 MAC algorithm, you can add the following line to your ssh_config file :

Host *
  MACs +hmac-sha2-256

To disable hmac-sha1 and hmac-ripemd160 MAC algorithms, you can add the following line to your ssh_config file :

Host *
  MACs -hmac-sha1,-hmac-ripemd160

To set only hmac-sha2-256 and hmac-sha2-512 MAC algorithms, you can add the following line to your ssh_config file :

Host *
  MACs hmac-sha2-256,hmac-sha2-512

isontheline avatar Dec 06 '25 16:12 isontheline

yup, was testing exactly that and came up with the same solution, thank you!

    # 1: Force ChaCha20 (AEAD - the safest)
    # 2: Backup to AES-256 in case WebSSH rejects ChaCha
    Ciphers [email protected],aes256-ctr,aes128-ctr
    
    # Safety-net:
    MACs +hmac-sha2-256```

mobuch avatar Dec 06 '25 16:12 mobuch

Thank you so much for your feedback 🙏

isontheline avatar Dec 06 '25 17:12 isontheline