Sometimes there are situations where you ask yourself why things are the way they are.

One such case is MobaXterm. I’m a big fan of MobaXterm and I also bought the full version. I’m happy to pay for good software.

With several VMs and computers, you want a GUI to connect to your VMs via SSH, to switch between them easily and, above all, clearly and also to easily upload or download files. Theoretically you could also use .config files without MobaXterm, but you don’t want to.

MobaXterm helps you not to confuse or even forget the name of the computer simply by seeing the name. Windows feels like it has very little good software here.

  • Putty is nice, but confusing
  • SSH on WSL has the .config problem
  • Solar Putty makes you dependent on Solarwinds
  • Obscure forks like Kitty that offer little added value.

MobaXterm brings everything together, not just SSH but a lot of other protocols like RDP. Together in one UI, even if I only use SSH myself.

As part of a conversion of my sshd_config as part of the Terrapin release, I also wanted to bring the encryption options up to date. However, a connection with MobaXterm no longer worked. After some trail and error, I was able to identify hmac-sha2-512 as the culprit.

KexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256

Without this MAC, MobaXterm no longer wanted to connect. I just have hmac-sha2-512 in my sshd_config with gnashing of teeth. It is the only algorithm that ssh-audit complains about. There are some alternatives that have been available since OpenSSH 6.2, so they have existed for a while.

(mac) [email protected]         -- [info] available since OpenSSH 6.2
(mac) [email protected]         -- [info] available since OpenSSH 6.2
(mac) [email protected]              -- [info] available since OpenSSH 6.2

It’s a mystery to me why people don’t use these. There’s something about Windows software that’s always like that, there’s always an option where you can’t understand why it’s set like that.