Support for more secure SSH MACs (BB-11891)

Issue #10838 closed
Ben Chociej created an issue

I understand that it is not possible for Bitbucket to support ECDSA for SSH at this time. However I think improvements can still be made. Namely, I wonder if some higher-security MACs could be enabled?

This is the motivating article, for reference: https://stribika.github.io/2015/01/04/secure-secure-shell.html

Some examples of higher-security MACs are hmac-sha2-512-etm@openssh.com and hmac-sha2-256-etm@openssh.com.

Currently the Bitbucket SSH servers advertise these weak MACs to my client: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96.

Official response

  • Alastair Wilkes staff

    With the deployment of our new SSH infrastructure, ECDSA and ED25519 keys are now supported, and we now support only hmac-sha2-256 (prioritized on our end), and hmac-sha1 & hmac-sha1-96 (for backwards compatibility) MACs. Although this is a leaner list than before, it now includes hmac-sha2-256 (which is an improvement), so we're going to resolve this issue.

    If there's a specific MAC that you'd like to see supported, please file an issue (with component "SSH") so we can gauge demand. However, we have no immediate plans to make further additions. Thank you!

Comments (5)

  1. David F

    @jgarcia4: Issue #4222 is about signature algorithms, while issue #10838 is about message authentication algorithms. The two are essentially unrelated, so I don't think one can be a duplicate of the other.

  2. Alastair Wilkes staff

    With the deployment of our new SSH infrastructure, ECDSA and ED25519 keys are now supported, and we now support only hmac-sha2-256 (prioritized on our end), and hmac-sha1 & hmac-sha1-96 (for backwards compatibility) MACs. Although this is a leaner list than before, it now includes hmac-sha2-256 (which is an improvement), so we're going to resolve this issue.

    If there's a specific MAC that you'd like to see supported, please file an issue (with component "SSH") so we can gauge demand. However, we have no immediate plans to make further additions. Thank you!

  3. Log in to comment