Support of MAC algorithm in WinSCP

My client need to harden the MAC algorithm use for the connection, by disallowing "[email protected]" while allowing "hmac-sha2-256". Checked the link https://winscp.net/eng/docs/ssh_algorithms, and use the command WinSCP /info, the MAC algorithm supported are listed below

SSH MAC algorithms:
hmac-sha2-256 ([email protected])
hmac-sha2-512 ([email protected])
hmac-sha1 ([email protected])
hmac-sha1-96 ([email protected])
hmac-md5 ([email protected])

My questions are:

1. Are "hmac-sha2-256" and "[email protected]" 2 distinct (but related?) algorithms?
   
2. From the above table, does the item "hmac-sha2-256 ([email protected])" mean "hmac-sha2-256" and "[email protected]" are both supported, instead of support "hmac-sha2-256" in form of "[email protected]"?
   
3. Checked from the log for the MAC algorithm in use and found "Initialised HMAC-SHA-256 outbound MAC algorithm". What does this mean? Does it mean support "hmac-sha-256", "hmac-sha2-256", or others?
   
4. Found from post that the MAC algorithm is not configurable in WinSCP (https://winscp.net/forum/viewtopic.php?t=25983), is this still true? Is the MAC algorithm to be used are negotiable during the connection with the client that we cannot enforcedly to specify which one must be used?

1. Yes, distinct, but related
   
2. Yes, both are supported
   
3. SHA-256 and SHA2-256 are the same thing
   
4. MAC algorithms are not configurable – disable them of the server, if you do not want to use them
   

What's wrong with ETM?

My service provider requests to disable some and only allow use some algorithm as below.

Algorithms to disable

• [email protected]
  
• [email protected]
  
• hmac-sha2-256-etm

Algorithms allow

• hmac-sha256
  
• [email protected]
  
• hmac-sha2-256

---

1. From the log "Initialised HMAC-SHA-256 outbound MAC algorithm", can we know "hmac-sha2-256" or "[email protected]" is in use?
   
2. As from the log "Initialised HMAC-SHA-256 outbound MAC algorithm", we would conclude either "hmac-sha2-256" or "[email protected]" must be in use. In case "[email protected]" is disabled while "hmac-sha2-256" is kept by the provider, should "hmac-sha2-256" automatically be used on my side?
   
3. Is ETM version more secure? i.e., "[email protected]" is better than "hmac-sha2-256"?

The "service provider" does not tell us anything, about what does the "provider" have to do with the connection. Do they run the server?

If ETM variant is in use, the message would say:

Of course, when the ETM is disabled by the server, WinSCP won't (cannot) use it.

And yes, ETM is MORE SECURE.

The background is we exchange file with a bank and they requested us to update the MAC algorithm as above.

martin wrote:

If ETM variant is in use, the message would say:

Initialised HMAC-SHA-256 outbound MAC algorithm (in ETM mode)

So "Initialised HMAC-SHA-256 outbound MAC algorithm" should mean "hmac-sha2-256" is in use?

And yes, ETM is MORE SECURE.

I googled and also found this conclusion, so I do not know why they allow "hmac-sha2-256" while disallow "[email protected]"