[Capistrano] Re: Capistrano::ConnectionError
This might be ssh v1 vs. v2 issues, are you definately using SSH v2, with v2 keys? (i think it is a difference between DSA, and RSA keys)- Lee 2009/1/15 Xazoola col...@gmail.com Hi, I am getting a ConnectionError on Solaris. Works find on Linux. anyone know what causes this error? Capistrano::ConnectionError, connection failed for: IPADDRESS (Net::SSH::Exception: could not settle on encryption_client algorithm) --~--~-~--~~~---~--~~ To unsubscribe from this group, send email to capistrano-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano -~--~~~~--~~--~--~---
[Capistrano] Re: Capistrano::ConnectionError
This can also be caused if your SSH server is configured to allow only a small subset of cipher algorithms, and that subset does not overlap any of the algorithms that Net::SSH supports. Net::SSH supports the following ciphers: aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc rijndael-...@lysator.liu.se idea-cbc none (Though it is strongly recommended to not use 'none'. It's really only useful for debugging Net::SSH.) If there is a cipher you want that isn't included there, you'll need to see how to make Ruby's OpenSSL bindings provide it. - Jamis On 1/15/09 8:37 AM, Lee Hambley wrote: This might be ssh v1 vs. v2 issues, are you definately using SSH v2, with v2 keys? (i think it is a difference between DSA, and RSA keys) - Lee 2009/1/15 Xazoola col...@gmail.com mailto:col...@gmail.com Hi, I am getting a ConnectionError on Solaris. Works find on Linux. anyone know what causes this error? Capistrano::ConnectionError, connection failed for: IPADDRESS (Net::SSH::Exception: could not settle on encryption_client algorithm) --~--~-~--~~~---~--~~ To unsubscribe from this group, send email to capistrano-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano -~--~~~~--~~--~--~---
[Capistrano] Re: Capistrano::ConnectionError
You have just nailed it. There was a SSH CBC vulnerability reported by US-CERT. http://www.kb.cert.org/vuls/id/958563 I'm not sure how the vulnerability is exploited. But to be safe, I disable all CBC related ciphers. After enabling all the default ciphers aes128-ctr,aes128-cbc,arcfour, 3des-cbc,blowfish-cbc, the encryption_client algorithm is solved. do you know anything about this SSH CBC vulnerability? If it is a security problem when CBC related cipher enabled on SSH server, any plan for Net:SSH to support non CBC ciphers? On Jan 15, 4:03 pm, Jamis Buck ja...@37signals.com wrote: This can also be caused if your SSH server is configured to allow only a small subset of cipher algorithms, and that subset does not overlap any of the algorithms that Net::SSH supports. Net::SSH supports the following ciphers: aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc rijndael-...@lysator.liu.se idea-cbc none (Though it is strongly recommended to not use 'none'. It's really only useful for debugging Net::SSH.) If there is a cipher you want that isn't included there, you'll need to see how to make Ruby's OpenSSL bindings provide it. - Jamis On 1/15/09 8:37 AM, Lee Hambley wrote: This might be ssh v1 vs. v2 issues, are you definately using SSH v2, with v2 keys? (i think it is a difference between DSA, and RSA keys) - Lee 2009/1/15 Xazoola col...@gmail.com mailto:col...@gmail.com Hi, I am getting a ConnectionError on Solaris. Works find on Linux. anyone know what causes this error? Capistrano::ConnectionError, connection failed for: IPADDRESS (Net::SSH::Exception: could not settle on encryption_client algorithm) --~--~-~--~~~---~--~~ To unsubscribe from this group, send email to capistrano-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano -~--~~~~--~~--~--~---
[Capistrano] Re: Capistrano::ConnectionError
I had heard of it, but I am not a crypto guru, and I have no idea how to make OpenSSL support those (which is what Net::SSH depends on). Perhaps someone more crypto-saavy than I will be able to pipe in and say oh, heck, you just need to do X and Y and you're all set. :) - Jamis On 1/15/09 10:02 AM, Xazoola wrote: You have just nailed it. There was a SSH CBC vulnerability reported by US-CERT. http://www.kb.cert.org/vuls/id/958563 I'm not sure how the vulnerability is exploited. But to be safe, I disable all CBC related ciphers. After enabling all the default ciphers aes128-ctr,aes128-cbc,arcfour, 3des-cbc,blowfish-cbc, the encryption_client algorithm is solved. do you know anything about this SSH CBC vulnerability? If it is a security problem when CBC related cipher enabled on SSH server, any plan for Net:SSH to support non CBC ciphers? On Jan 15, 4:03 pm, Jamis Buck ja...@37signals.com wrote: This can also be caused if your SSH server is configured to allow only a small subset of cipher algorithms, and that subset does not overlap any of the algorithms that Net::SSH supports. Net::SSH supports the following ciphers: aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc rijndael-...@lysator.liu.se idea-cbc none (Though it is strongly recommended to not use 'none'. It's really only useful for debugging Net::SSH.) If there is a cipher you want that isn't included there, you'll need to see how to make Ruby's OpenSSL bindings provide it. - Jamis On 1/15/09 8:37 AM, Lee Hambley wrote: This might be ssh v1 vs. v2 issues, are you definately using SSH v2, with v2 keys? (i think it is a difference between DSA, and RSA keys) - Lee 2009/1/15 Xazoola col...@gmail.com mailto:col...@gmail.com Hi, I am getting a ConnectionError on Solaris. Works find on Linux. anyone know what causes this error? Capistrano::ConnectionError, connection failed for: IPADDRESS (Net::SSH::Exception: could not settle on encryption_client algorithm) --~--~-~--~~~---~--~~ To unsubscribe from this group, send email to capistrano-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano -~--~~~~--~~--~--~---
[Capistrano] Re: Capistrano::ConnectionError
ok, and many thanks for your solution! On Jan 15, 5:03 pm, Jamis Buck ja...@37signals.com wrote: I had heard of it, but I am not a crypto guru, and I have no idea how to make OpenSSL support those (which is what Net::SSH depends on). Perhaps someone more crypto-saavy than I will be able to pipe in and say oh, heck, you just need to do X and Y and you're all set. :) - Jamis On 1/15/09 10:02 AM, Xazoola wrote: You have just nailed it. There was a SSH CBC vulnerability reported by US-CERT. http://www.kb.cert.org/vuls/id/958563 I'm not sure how the vulnerability is exploited. But to be safe, I disable all CBC related ciphers. After enabling all the default ciphers aes128-ctr,aes128-cbc,arcfour, 3des-cbc,blowfish-cbc, the encryption_client algorithm is solved. do you know anything about this SSH CBC vulnerability? If it is a security problem when CBC related cipher enabled on SSH server, any plan for Net:SSH to support non CBC ciphers? On Jan 15, 4:03 pm, Jamis Buck ja...@37signals.com wrote: This can also be caused if your SSH server is configured to allow only a small subset of cipher algorithms, and that subset does not overlap any of the algorithms that Net::SSH supports. Net::SSH supports the following ciphers: aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc rijndael-...@lysator.liu.se idea-cbc none (Though it is strongly recommended to not use 'none'. It's really only useful for debugging Net::SSH.) If there is a cipher you want that isn't included there, you'll need to see how to make Ruby's OpenSSL bindings provide it. - Jamis On 1/15/09 8:37 AM, Lee Hambley wrote: This might be ssh v1 vs. v2 issues, are you definately using SSH v2, with v2 keys? (i think it is a difference between DSA, and RSA keys) - Lee 2009/1/15 Xazoola col...@gmail.com mailto:col...@gmail.com Hi, I am getting a ConnectionError on Solaris. Works find on Linux. anyone know what causes this error? Capistrano::ConnectionError, connection failed for: IPADDRESS (Net::SSH::Exception: could not settle on encryption_client algorithm) --~--~-~--~~~---~--~~ To unsubscribe from this group, send email to capistrano-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano -~--~~~~--~~--~--~---
