Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass does not support EtM MACs #624

Open
apfohl opened this issue Jul 7, 2023 · 4 comments
Open

Pass does not support EtM MACs #624

apfohl opened this issue Jul 7, 2023 · 4 comments

Comments

@apfohl
Copy link

apfohl commented Jul 7, 2023

I'm using passforios with a provider running a Gitea based on NixOS. Recently NixOS decided to kick out non-EtM MACs for security reasons.

Unfortunately passforios seem to not support EtM at the moment. So I can't sync my repository atm.

The server logs say this, when I try to sync:

Jul 07 06:09:49 flora-6 sshd[980983]: Unable to negotiate with REDACTED_IP port 57747: no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com [preauth]

Here is the change they made: NixOS/nixpkgs@537d611

And some reference why they did this:

I'm no Swift developer, but maybe it's easy to fix, by updating a library. If it comes from iOS of cause, then you can't do anything. In that case I will ask for a more compatible selection of MAC algorithms.

Thanks for your time.
@apfohl apfohl mentioned this issue Jul 7, 2023
Open
@Vonfry
Copy link

Vonfry commented Jul 11, 2023
edited

Add the following config to make passforios work temporarily on nixos

  services.openssh.settings.Macs = [ # to make passforios work
    "hmac-sha2-512"
    "hmac-sha2-256"
    "umac-128@openssh.com"
  ];

IMO, EtM is better than the original ones, so please support it.

@apfohl
Copy link
Author

apfohl commented Jul 11, 2023

Add the following config to make passforios work temporarily on nixos

  services.openssh.settings.Macs = [ # to make passforios work
    "hmac-sha2-512"
    "hmac-sha2-256"
    "umac-128@openssh.com"
  ];

IMO, EtM is better than the original ones, so please support it.

Yes, the Git provider did this for me, but ultimately they want to get rid of them sooner or later. So it would be nice if passforios could also move in that direction and try to support EtM macs.

@apfohl
Copy link
Author

apfohl commented Nov 1, 2023

@mssun My repository provider removed the original ones again. So I can not sync my passwords again. Is it possible to think about supporting EtM MACs soon?

@bmclean2
Copy link

bmclean2 commented Nov 17, 2023
edited

I audited the ssh client used by passforios using sshaudit.com and got a score of F- with the following breakdown:
Host Keys:
1 of 9 passing (11%)
Key Exchanges:
5 of 12 passing (41%)
Ciphers:
3 of 12 passing (25%)
MACs:
0 of 8 passing (0%)

Seems like the app needs some updates. I'll defer to others with more knowledge as to whether this level of security is a concern.

EDIT: I discovered in my instance that I had previously "hardened" the sshd config to only include the strongest MACs, which excluded all of passforios's MACs. I fixed it by adding back a couple of the adequate/sufficient MACs in the config. Works fine now and I still get an A+ on ssh-audit.com. This is a fantastic app, so hopefully some tweaks/updating will be made in due course. Thank you to the maintainers!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@apfohl @Vonfry @bmclean2