[Soekris] vpn1411 on NET4801 - SSH: Corrupted MAC on input
der Mouse
mouse at Rodents.Montreal.QC.CA
Fri Nov 10 16:13:51 UTC 2006
> I saw "Corrupted MAC on input" just the other day. [...]
> OpenSSH could fail a bit more gracefully, discarding the particular
> inputs that fail its integrity check, but sending a NACK, giving the
> sender the opportunity to retry.
If you mean a NACK at the TCP level, there is no such thing; it would
have to just drop the data, fail to ACK it, and let the sender
retransmit. It is probably too late for that, though; on most OSes, by
the time ssh gets the data, it's already been ACKed by the TCP stack.
If you mean a NACK at the SSH protocol level, there is no such thing,
and no substitute. Go read RFC4253. Note that what looks like a
corrupted MAC may actually be a corrupted packet length; the
implementation does not necessarily know how much data to drop, even if
it had a mechanism for dropping and resending - which may be why no
mechanism was included for that.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
More information about the Soekris-tech
mailing list