admin/markbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix SSH MAC verification: Add OpenSSH strict KEX extension support
Some checks failed
Test / test (push) Has been cancelled
Details
Test / build (push) Has been cancelled
Details

Browse Source 
Problem:
- OpenSSH 10.2 requires 'kex-strict-s-v00@openssh.com' extension
- Client sends SSH_MSG_EXT_INFO (type 7) before SSH_MSG_SERVICE_REQUEST
- Missing support caused 'Corrupted MAC on input' error

Solution:
1. Add 'ext-info-s,kex-strict-s-v00@openssh.com' to kex_algorithms (kex.rs)
2. Define SSH_MSG_EXT_INFO packet type (packet.rs)
3. Handle SSH_MSG_EXT_INFO before SERVICE_REQUEST (server.rs)

Result:
- SSH handshake now fully compatible with OpenSSH 10.2
- MAC verification successful for all encrypted packets
- Progress: SSH implementation 95% complete (Phase 1-4 + strict KEX)
This commit is contained in:
Warren
2026-06-15 04:11:29 +08:00
parent 301d046761
commit 96143a6c0e
3 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
markbase-core/src/ssh_server/kex.rs
View File

@@ -44,8 +44,8 @@ impl KexProposal {
pub fn server_default() -> Self {
// 参考OpenSSH KEX_SERVER定义
Self {
// 密钥交换算法优先Curve25519推荐
kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256".to_string(),
// 密钥交换算法优先Curve25519推荐 + strict KEX extension
kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,ext-info-s,kex-strict-s-v00@openssh.com".to_string(),
// 主机密钥算法优先Ed25519
server_host_key_algorithms: "ssh-ed25519,rsa-sha2-256,rsa-sha2-512".to_string(),