I had heard of it, but I am not a crypto guru, and I have no idea how to
make OpenSSL support those (which is what Net::SSH depends on). Perhaps
someone more crypto-saavy than I will be able to pipe in and say "oh,
heck, you just need to do X and Y and you're all set". :)

- Jamis

On 1/15/09 10:02 AM, Xazoola wrote:
> You have just nailed it.
> There was a SSH CBC vulnerability reported by US-CERT.
> http://www.kb.cert.org/vuls/id/958563
> I'm not sure how the vulnerability is exploited. But to be safe, I
> disable all CBC related ciphers.
> After enabling all the default ciphers "aes128-ctr,aes128-cbc,arcfour,
> 3des-cbc,blowfish-cbc", the "encryption_client algorithm" is solved.
> 
> 
> 
> do you know anything about this SSH CBC vulnerability? If it is a
> security problem when CBC related cipher enabled on SSH server, any
> plan for Net:SSH to support non CBC ciphers?
> 
> On Jan 15, 4:03 pm, Jamis Buck <ja...@37signals.com> wrote:
>> This can also be caused if your SSH server is configured to allow only a
>> small subset of cipher algorithms, and that subset does not overlap any
>> of the algorithms that Net::SSH supports.
>>
>> Net::SSH supports the following ciphers:
>>
>>   aes128-cbc
>>   3des-cbc
>>   blowfish-cbc
>>   cast128-cbc
>>   aes192-cbc
>>   aes256-cbc
>>   rijndael-...@lysator.liu.se
>>   idea-cbc
>>   none
>>
>> (Though it is strongly recommended to not use 'none'. It's really only
>> useful for debugging Net::SSH.)
>>
>> If there is a cipher you want that isn't included there, you'll need to
>> see how to make Ruby's OpenSSL bindings provide it.
>>
>> - Jamis
>>
>> On 1/15/09 8:37 AM, Lee Hambley wrote:
>>
>>> This might be ssh v1 vs. v2 issues, are you definately using SSH v2,
>>> with v2 keys? (i think it is a difference between DSA, and RSA keys)
>>> - Lee
>>> 2009/1/15 Xazoola <col...@gmail.com <mailto:col...@gmail.com>>
>>>     Hi,
>>>     I am getting a ConnectionError on Solaris. Works find on Linux. anyone
>>>     know what causes this error?
>>>     Capistrano::ConnectionError, connection failed for: <IPADDRESS>
>>>     (Net::SSH::Exception: could not settle on encryption_client algorithm)
> > 


--~--~---------~--~----~------------~-------~--~----~
To unsubscribe from this group, send email to 
capistrano-unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/capistrano
-~----------~----~----~----~------~----~------~--~---

Reply via email to