Hello,
As part of securing SFTP access by explicitly configuring host key, KEX, MAC and cipher algorithms, I found explicitly setting allowed MAC algorithms seems to have no effect.
This is the code I'm using to configure the MAC algorithms (sftp is an instance of Rebex.Net.Sftp):
sftp.Settings.SshParameters.MacAlgorithms = SshMacAlgorithm.Any;
sftp.Settings.SshParameters.SetMacAlgorithms(
{
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512",
"hmac-sha2-256",
"hmac-sha1"
});
I tested connecting to an OpenSSH SFTP server where the MAC algorithms are configured as follows in sshd_config:
MACs hmac-md5
I would expect to see a message similar to the following (except for MAC) when trying to connect:
Negotiation failed. The client and the server have no common host key
algorithm. Server supports 'ecdsa-sha2-nistp384' which is not enabled
at the client.
However there is no error and the connection succeeds.
I'm currently on version 6.0.8432, but I checked the change log and didn't see anything related to MACs in the most recent releases.
Is this a bug or am I doing something incorrect in the code?
Just to note, the line
sftp.Settings.SshParameters.MacAlgorithms = SshMacAlgorithm.Any;
has been added because I found when explicitly setting the host key algorithms to include ecdh-sha2-nistp384 and ecdh-sha2-nistp521 through SetHostKeyAlgorithms, the algorithms were not enabled unless I also changed the HostKeyAlgorithms property to include them (through the Any enum member). This doesn't appear to be documented behavior.