I had heard of it, but I am not a crypto guru, and I have no idea how to make OpenSSL support those (which is what Net::SSH depends on). Perhaps someone more crypto-saavy than I will be able to pipe in and say "oh, heck, you just need to do X and Y and you're all set". :)
- Jamis On 1/15/09 10:02 AM, Xazoola wrote: > You have just nailed it. > There was a SSH CBC vulnerability reported by US-CERT. > http://www.kb.cert.org/vuls/id/958563 > I'm not sure how the vulnerability is exploited. But to be safe, I > disable all CBC related ciphers. > After enabling all the default ciphers "aes128-ctr,aes128-cbc,arcfour, > 3des-cbc,blowfish-cbc", the "encryption_client algorithm" is solved. > > > > do you know anything about this SSH CBC vulnerability? If it is a > security problem when CBC related cipher enabled on SSH server, any > plan for Net:SSH to support non CBC ciphers? > > On Jan 15, 4:03 pm, Jamis Buck <ja...@37signals.com> wrote: >> This can also be caused if your SSH server is configured to allow only a >> small subset of cipher algorithms, and that subset does not overlap any >> of the algorithms that Net::SSH supports. >> >> Net::SSH supports the following ciphers: >> >> aes128-cbc >> 3des-cbc >> blowfish-cbc >> cast128-cbc >> aes192-cbc >> aes256-cbc >> rijndael-...@lysator.liu.se >> idea-cbc >> none >> >> (Though it is strongly recommended to not use 'none'. It's really only >> useful for debugging Net::SSH.) >> >> If there is a cipher you want that isn't included there, you'll need to >> see how to make Ruby's OpenSSL bindings provide it. >> >> - Jamis >> >> On 1/15/09 8:37 AM, Lee Hambley wrote: >> >>> This might be ssh v1 vs. v2 issues, are you definately using SSH v2, >>> with v2 keys? (i think it is a difference between DSA, and RSA keys) >>> - Lee >>> 2009/1/15 Xazoola <col...@gmail.com <mailto:col...@gmail.com>> >>> Hi, >>> I am getting a ConnectionError on Solaris. Works find on Linux. anyone >>> know what causes this error? >>> Capistrano::ConnectionError, connection failed for: <IPADDRESS> >>> (Net::SSH::Exception: could not settle on encryption_client algorithm) > > --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to capistrano-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---