passforios icon indicating copy to clipboard operation
passforios copied to clipboard

Published 20 hours ago verified publisher icon mssun

Pass does not support EtM MACs

Open apfohl opened this issue 1 year ago • 4 comments

I'm using passforios with a provider running a Gitea based on NixOS. Recently NixOS decided to kick out non-EtM MACs for security reasons.

Unfortunately passforios seem to not support EtM at the moment. So I can't sync my repository atm.

The server logs say this, when I try to sync:

Jul 07 06:09:49 flora-6 sshd[980983]: Unable to negotiate with REDACTED_IP port 57747: no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected] [preauth]

Here is the change they made: https://github.com/NixOS/nixpkgs/commit/537d611a75e375716a5a0e75ad50190f082da743

And some reference why they did this:

  • https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
  • https://blog.stribik.technology/2015/01/04/secure-secure-shell.html

I'm no Swift developer, but maybe it's easy to fix, by updating a library. If it comes from iOS of cause, then you can't do anything. In that case I will ask for a more compatible selection of MAC algorithms.

Thanks for your time.

apfohl avatar Jul 07 '23 10:07 apfohl

Add the following config to make passforios work temporarily on nixos

  services.openssh.settings.Macs = [ # to make passforios work
    "hmac-sha2-512"
    "hmac-sha2-256"
    "[email protected]"
  ];

IMO, EtM is better than the original ones, so please support it.

Vonfry avatar Jul 11 '23 13:07 Vonfry

Add the following config to make passforios work temporarily on nixos

  services.openssh.settings.Macs = [ # to make passforios work
    "hmac-sha2-512"
    "hmac-sha2-256"
    "[email protected]"
  ];

IMO, EtM is better than the original ones, so please support it.

Yes, the Git provider did this for me, but ultimately they want to get rid of them sooner or later. So it would be nice if passforios could also move in that direction and try to support EtM macs.

apfohl avatar Jul 11 '23 13:07 apfohl

@mssun My repository provider removed the original ones again. So I can not sync my passwords again. Is it possible to think about supporting EtM MACs soon?

apfohl avatar Nov 01 '23 07:11 apfohl

I audited the ssh client used by passforios using sshaudit.com and got a score of F- with the following breakdown: Host Keys: 1 of 9 passing (11%) Key Exchanges: 5 of 12 passing (41%) Ciphers: 3 of 12 passing (25%) MACs: 0 of 8 passing (0%)

Seems like the app needs some updates. I'll defer to others with more knowledge as to whether this level of security is a concern.

EDIT: I discovered in my instance that I had previously "hardened" the sshd config to only include the strongest MACs, which excluded all of passforios's MACs. I fixed it by adding back a couple of the adequate/sufficient MACs in the config. Works fine now and I still get an A+ on ssh-audit.com. This is a fantastic app, so hopefully some tweaks/updating will be made in due course. Thank you to the maintainers!!

bmclean2 avatar Nov 17 '23 23:11 bmclean2