Question

我用Twisted（15.5.0）海螺写了一个SSH服务器。但是RFC 6668为twisted.conch定义了hmac-sha2-512 MAC算法。不支持它。我想知道如何解决它。我有

   $ ssh -V
   OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013

   (assh_env)[root@localhost asshpy]# python
   Python 2.7.8 (default, Nov 30 2015, 10:44:42) 
   [GCC 4.4.7 20120313 (Red Hat 4.4.7-16)] on linux2
   Type "help", "copyright", "credits" or "license" for more information.
   >>> import twisted
   >>> print twisted.version
   [Twisted, version 16.6.0]


   $ ssh 127.0.0.1 -m hmac-sha2-512 -vvv -p 2222
   OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
   debug1: Reading configuration data /etc/ssh/ssh_config
   debug1: /etc/ssh/ssh_config line 41: Applying options for *
   debug2: ssh_connect: needpriv 0
   debug1: Connecting to localhost [127.0.0.1] port 2222.
   debug2: fd 3 setting O_NONBLOCK
   debug1: fd 3 clearing O_NONBLOCK
   debug1: Connection established.
   debug3: timeout: 9988 ms remain after connect
   debug1: could not open key file '/etc/ssh/ssh_host_key': No such file or directory
   debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': No such file or directory
   debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
   debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
   debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission denied
   debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': No such file or directory
   debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
   debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
   debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission denied
   debug1: identity file /home/chenjian.chj/.ssh/id_rsa type -1
   debug1: identity file /home/chenjian.chj/.ssh/id_rsa-cert type -1
   debug1: identity file /home/chenjian.chj/.ssh/id_dsa type -1
   debug1: identity file /home/chenjian.chj/.ssh/id_dsa-cert type -1
   debug1: identity file /home/chenjian.chj/.ssh/id_ecdsa type -1
   debug1: identity file /home/chenjian.chj/.ssh/id_ecdsa-cert type -1
   debug1: identity file /home/chenjian.chj/.ssh/id_ed25519 type -1
   debug1: identity file /home/chenjian.chj/.ssh/id_ed25519-cert type -1
   debug1: Enabling compatibility mode for protocol 2.0
   debug1: Local version string SSH-2.0-OpenSSH_6.6.1
   debug1: Remote protocol version 2.0, remote software version Twisted
   debug1: no match: Twisted
   debug2: fd 3 setting O_NONBLOCK
   debug3: put_host_port: [127.0.0.1]:2222
   debug3: load_hostkeys: loading entries for host "[127.0.0.1]:2222" from file "/dev/null"
   debug3: load_hostkeys: loaded 0 keys
   debug1: SSH2_MSG_KEXINIT sent
   debug1: SSH2_MSG_KEXINIT received
   debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
   debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
   debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
   debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
   debug2: kex_parse_kexinit: hmac-sha2-512
   debug2: kex_parse_kexinit: hmac-sha2-512
   debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
   debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
   debug2: kex_parse_kexinit: 
   debug2: kex_parse_kexinit: 
   debug2: kex_parse_kexinit: first_kex_follows 0 
   debug2: kex_parse_kexinit: reserved 0 
   debug2: kex_parse_kexinit: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
   debug2: kex_parse_kexinit: ssh-rsa
   debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,blowfish-cbc,3des-cbc
   debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,blowfish-cbc,3des-cbc
   debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5
   debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5
   debug2: kex_parse_kexinit: none,zlib
   debug2: kex_parse_kexinit: none,zlib
   debug2: kex_parse_kexinit: 
   debug2: kex_parse_kexinit: 
   debug2: kex_parse_kexinit: first_kex_follows 0 
   debug2: kex_parse_kexinit: reserved 0 
   debug2: mac_setup: setup hmac-sha2-512
   debug1: kex: server->client aes128-ctr hmac-sha2-512 none
   debug2: mac_setup: setup hmac-sha2-512
   debug1: kex: client->server aes128-ctr hmac-sha2-512 none
   debug1: kex: diffie-hellman-group14-sha1 need=64 dh_need=64
   debug1: kex: diffie-hellman-group14-sha1 need=64 dh_need=64
   debug2: bits set: 1009/2048
   debug1: sending SSH2_MSG_KEXDH_INIT
   debug1: expecting SSH2_MSG_KEXDH_REPLY
   debug1: Server host key: RSA e4:63:c3:05:6c:37:bc:05:8d:94:8a:72:68:91:9c:24
   debug3: put_host_port: [127.0.0.1]:2222
   debug3: put_host_port: [127.0.0.1]:2222
   debug3: load_hostkeys: loading entries for host "[127.0.0.1]:2222" from file "/dev/null"
   debug3: load_hostkeys: loaded 0 keys
   debug3: load_hostkeys: loading entries for host "[127.0.0.1]:2222" from file "/dev/null"
   debug3: load_hostkeys: loaded 0 keys
   debug1: checking without port identifier
   debug3: load_hostkeys: loading entries for host "127.0.0.1" from file "/dev/null"
   debug3: load_hostkeys: loaded 0 keys
   Warning: Permanently added '[127.0.0.1]:2222' (RSA) to the list of known hosts.
   debug2: bits set: 1013/2048
   debug1: ssh_rsa_verify: signature correct
   debug2: kex_derive_keys
   debug2: set_newkeys: mode 1
   debug1: SSH2_MSG_NEWKEYS sent
   debug1: expecting SSH2_MSG_NEWKEYS
   debug2: set_newkeys: mode 0
   debug1: SSH2_MSG_NEWKEYS received
   debug1: SSH2_MSG_SERVICE_REQUEST sent
   Corrupted MAC on input.
   Disconnecting: Packet corrupt

在扭曲的ssh服务器中，日志为：

     2016-12-22 10:10:44+0800 [SSHServerTransport,0,10.101.227.11] kex alg, key alg: 'diffie-hellman-group14-sha1' 'ssh-rsa'
     2016-12-22 10:10:44+0800 [SSHServerTransport,0,10.101.227.11] outgoing: 'aes128-ctr' 'hmac-sha2-512' 'none'
     2016-12-22 10:10:44+0800 [SSHServerTransport,0,10.101.227.11] incoming: 'aes128-ctr' 'hmac-sha2-512' 'none'
     2016-12-22 10:10:44+0800 [SSHServerTransport,0,10.101.227.11] NEW KEYS
     2016-12-22 10:10:44+0800 [SSHServerTransport,0,10.101.227.11] Disconnecting with error, code 5
             reason: bad MAC
     2016-12-22 10:10:44+0800 [SSHServerTransport,0,10.101.227.11] connection lost

Answer 1

您必须升级到更新版本的Twisted; 15.5.0最近不足以实现hmac-sha2-512。如果您还没有正常工作的应用程序，我总是建议从最新版本的Twisted开始。

twisted：hmac-sha2-512 - 使用OpenSSH输入损坏的MAC

1 个答案: