Ssh from dropbear -->> No matching algo mac c->s

defaliz · October 28, 2024, 3:34pm

Hi,
when i use ssh user@host1 from openwrt i have connexion succeeded...
but with host2 i've the message No matching algo mac c->s
host1 has ubuntu 20 installed and host2 home assistant

i think i must add MAC on sshd host2 but i don't know which MAC and how ?
best regards

lleachii · October 28, 2024, 3:49pm

What version of OpenWrt?

flygarn12 · October 28, 2024, 4:47pm

I guess the home assistant as a IoT is so tragically old so it have no secure crypto algorithms left to use that is approved by any modern cryptographic system.

defaliz · October 28, 2024, 5:05pm

OpenWrt 23.05.3 (r23809-234f1a2efa)

some days ago i've add MAC on sshd configuration of host2 (HA) and connexion was fine..

but i'dont remember how i've found which MAC accepted by openwrt...
and so there is no history...

mk24 · October 28, 2024, 5:16pm

The whole error message will have two lists. The "C" ones are the standards supported by the client (local end) and the "S" ones are those offered by the server (remote end). As the client is upgraded, old insecure standards are intentionally removed from the default list, but their use can still be selected with the -o macs= option.

elbertmai · October 28, 2024, 5:17pm

Using OpenSSH on a PC (not Dropbear on OpenWrt), connect to your Home Assistant instance with "debug2" messages enabled:

ssh -vv <ha-user>@<ha-host>

Find the part of the log that looks like this to figure out what MACs the server will accept:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ...
debug2: host key algorithms: ...
debug2: ciphers ctos: ...
debug2: ciphers stoc: ...
debug2: MACs ctos: ...
debug2: MACs stoc: ...

Then use the -o macs= as explained by @mk24 to connect to the server. While you're there, update sshd so that both client and server are using up-to-date algorithms.

defaliz · October 28, 2024, 5:45pm

thanks
host2 HA offers this

MACs stoc: umac-128-etm@openssh.com ,hmac-sha2-256-etm@openssh.com ,hmac-sha2-512-etm@openssh.com

so i use ssh command like that on openwrt

ssh -o macs=umac-128-etm@openssh.com user@host2

ssh: Ignoring unknown configuration option 'macs=umac-128-etm@openssh.com'

on openwrt there is no o option but m
ssh -m help

defaliz · October 28, 2024, 5:50pm

version of dropbear is
Dropbear SSH client v2022.82
and option with o is
ssh -o help
ssh: Available options:
ExitOnForwardFailure
DisableTrivialAuth
UseSyslog
Port

defaliz · October 28, 2024, 6:01pm

so i've found the trick
on host2 i've comment line with MACS, restart sshd and know it's OK

#MACs -hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512...,

brada4 · December 9, 2024, 5:48pm

So it broke in your hands and you went blaming OpenWRT?