You have just nailed it. There was a SSH CBC vulnerability reported by US-CERT. http://www.kb.cert.org/vuls/id/958563 I'm not sure how the vulnerability is exploited. But to be safe, I disable all CBC related ciphers. After enabling all the default ciphers "aes128-ctr,aes128-cbc,arcfour, 3des-cbc,blowfish-cbc", the "encryption_client algorithm" is solved.
do you know anything about this SSH CBC vulnerability? If it is a security problem when CBC related cipher enabled on SSH server, any plan for Net:SSH to support non CBC ciphers? On Jan 15, 4:03 pm, Jamis Buck <ja...@37signals.com> wrote: > This can also be caused if your SSH server is configured to allow only a > small subset of cipher algorithms, and that subset does not overlap any > of the algorithms that Net::SSH supports. > > Net::SSH supports the following ciphers: > > aes128-cbc > 3des-cbc > blowfish-cbc > cast128-cbc > aes192-cbc > aes256-cbc > rijndael-...@lysator.liu.se > idea-cbc > none > > (Though it is strongly recommended to not use 'none'. It's really only > useful for debugging Net::SSH.) > > If there is a cipher you want that isn't included there, you'll need to > see how to make Ruby's OpenSSL bindings provide it. > > - Jamis > > On 1/15/09 8:37 AM, Lee Hambley wrote: > > > This might be ssh v1 vs. v2 issues, are you definately using SSH v2, > > with v2 keys? (i think it is a difference between DSA, and RSA keys) > > - Lee > > > 2009/1/15 Xazoola <col...@gmail.com <mailto:col...@gmail.com>> > > > Hi, > > I am getting a ConnectionError on Solaris. Works find on Linux. anyone > > know what causes this error? > > > Capistrano::ConnectionError, connection failed for: <IPADDRESS> > > (Net::SSH::Exception: could not settle on encryption_client algorithm) --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to capistrano-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---
