(mac) unknown algorithm(s) found!: [email protected],[email protected]

[rein123]

Hi! Using https://github.com/jtesta/ssh-audit/releases/tag/v3.3.0 I want to report the following:

Starting audit of 192.168.0.10:22...
# general
(gen) banner: SSH-2.0-Mocana SSH
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2020.79+
(gen) compression: disabled
# key exchange algorithms
(kex) curve25519-sha256              -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256              -- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) [email protected]   -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
(kex) [email protected]   -- [info] default key exchange from OpenSSH 6.5 to 7.3
[0;31m(kex) ecdh-sha2-nistp521             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521             -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
[0;31m(kex) ecdh-sha2-nistp384             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384             -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
[0;31m(kex) ecdh-sha2-nistp256             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp256             -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group15-sha512
(kex) diffie-hellman-group16-sha512  -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group17-sha512
(kex) diffie-hellman-group18-sha512  -- [info] available since OpenSSH 7.3
# host-key algorithms
(key) ssh-ed25519                    -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
# encryption algorithms (ciphers)
(enc) AEAD_AES_128_GCM
(enc) [email protected]         -- [info] available since OpenSSH 6.2
(enc) AEAD_AES_256_GCM
(enc) [email protected]         -- [info] available since OpenSSH 6.2
(enc) aes128-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                     -- [info] available since OpenSSH 3.7
# message authentication code algorithms
(mac) AEAD_AES_128_GCM
(mac) [email protected]         -- [warn] unknown algorithm
(mac) AEAD_AES_256_GCM
(mac) [email protected]         -- [warn] unknown algorithm
(mac) hmac-sha2-512                  -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-512                  -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# fingerprints
(fin) ssh-ed25519: SHA256:OXv9gviji0wo4O4jr4NVZsFYKT1CKkQuZ4fTlcK0E0U
(fin) ssh-ed25519: MD5:35:e8:82:81:53:ea:0f:4a:95:a2:5d:88:ba:a4:0d:14 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case

!!! WARNING: unknown algorithm(s) found!: [email protected],[email protected].  If this is the latest version of ssh-audit (see <https://github.com/jtesta/ssh-audit/releases>), please create a new Github issue at <https://github.com/jtesta/ssh-audit/issues> with the full output above.

[jtesta]

Well this is rather interesting! Those two algorithms are already supported by ssh-audit (and have been for many, many years). Seems like there might be a bug somewhere.

I see that your target server is identifying itself as "Mocana SSH". I can't find much information about it, though. Can you perhaps explain what product/software stack that is?

Or even better: if you can share the address of a host with that SSH server that is reachable from the Internet, then I could debug this quickly without having to install anything locally.

Thanks!

[rein123]

Unfortunately, I cannot provide an interface for you to test it directly, since the device is currently in development. The used stack is from https://dev.digicert.com/en/trustcore-sdk/nanossh.html

Seems like "aes128-gcm" is maybe not an issue but the "@openssh.com" variant of it.

[jtesta]

@rein123: just thought I'd check again to see if perhaps an external instance is now available. Since the code looks right already, the only way to further debug this would be against a live system. Thanks!

[perkelix]

This page shows some of the supported ciphers. There doesn't seem to be much public documentation about the other supported features.

[rein123]

Sorry for the delay. I got informed that in a few weeks the product team will arrange a setup which is accessible via the Internet. I will keep you updated as soon as it is available.

[jtesta]

@rein123 : Since some time has passed, I thought I'd check to see if any service is publicly available now that exhibits this behavior. Thanks!

[rein123]

Got informed from our product development that they think that it is a bug in the Mocana Trustcore Library. "When [email protected] and [email protected] encryption algorithms are chosen, it will implicitly choose MAC algorithms as none but wrongly populating ⁠[email protected] and [email protected] as supported MAC." They will reach out to Mocana and try to fix it next version. I think we can close the thread. Thx so much for your patience and ssh-audit in general :)

[jtesta]

Sure thing! And thanks for reporting it, regardless!