I think the proposal rampaging went one algorithm too far. sha1 is the
best algorithm supported by many clients and it's still pretty secure.
without it, a lot of clients have stopped working. temporarily alieve
the pain?
Index: myproposal.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/myproposal.h,v
retrieving revision 1.40
diff -u -p -r1.40 myproposal.h
--- myproposal.h 30 Apr 2014 19:07:48 -0000 1.40
+++ myproposal.h 11 Jul 2014 09:31:21 -0000
@@ -69,19 +69,19 @@
"umac-128-...@openssh.com," \
"hmac-sha2-256-...@openssh.com," \
"hmac-sha2-512-...@openssh.com," \
+ "hmac-sha1-...@openssh.com," \
"umac...@openssh.com," \
"umac-...@openssh.com," \
"hmac-sha2-256," \
- "hmac-sha2-512" \
+ "hmac-sha2-512," \
+ "hmac-sha1"
#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
"hmac-md5-...@openssh.com," \
- "hmac-sha1-...@openssh.com," \
"hmac-ripemd160-...@openssh.com," \
"hmac-sha1-96-...@openssh.com," \
"hmac-md5-96-...@openssh.com," \
"hmac-md5," \
- "hmac-sha1," \
"hmac-ripemd160," \
"hmac-ripemd...@openssh.com," \
"hmac-sha1-96," \
@@ -102,16 +102,16 @@
"umac-128-...@openssh.com," \
"hmac-sha2-256-...@openssh.com," \
"hmac-sha2-512-...@openssh.com," \
+ "hmac-sha1-...@openssh.com," \
"umac...@openssh.com," \
"umac-...@openssh.com," \
"hmac-sha2-256," \
- "hmac-sha2-512"
+ "hmac-sha2-512," \
+ "hmac-sha1"
#define KEX_CLIENT_KEX KEX_SERVER_KEX
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
-#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
- "hmac-sha1-...@openssh.com," \
- "hmac-sha1"
+#define KEX_CLIENT_MAC KEX_SERVER_MAC
#endif /* WITH_OPENSSL */
