On Mon, 14 Jan 2008, Dennis Clarke wrote:
hi Dennis,
>I use SSH daily and on just about everything I own. I do not wear a tin-foil
>hat but I do use aes256-cbc ( or similar ) as my Cipher of choice and I
>generally configure servers to *only* accept aes256-cbc ( or similar ). I
>also tend to set KeyRegenerationInterval to 300 secs and I do not allow the
>use of a cleartext password.
this is this one:
6617424 aes192-cbc/aes256-cbc support is missing from ssh/sshd
however, using anything else than aes128 is just burning CPU cycles.
A nice paper about that was written in 1996 and think it still stands:
http://www.schneier.com/paper-keylength.pdf
>The SunSSH version is this :
>
>$ /usr/bin/ssh -V
>Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
>
>I do not know what that means.
SunSSH 1.1. Sun forked OpenSSH, twice basically. The second fork was
from OpenSSH 3.5p1. And it's documented here:
http://www.opensolaris.org/os/community/security/projects/SSH/
># /usr/bin/ssh -V
>Sun_SSH_1.2, SSH protocols 1.5/2.0, OpenSSL 0x0090801f
># /usr/bin/ssh -2 -4 -c aes256-cbc mars
>Unknown cipher type 'aes256-cbc'
yes, a newer version of SunSSH. The increased version number means
that a new compatibility flag was added. Again, it's documented on
OpenSolaris SSH page.
>So the short answer here is that I don't know what the Sun implementation of
>SSH is really but it seems to be NOT what we see at the source site. So that
>really is the only reason why I tend to run the packages built on reference
>servers that I trust and with source code drawn directly from the well.
>
>Am I wrong to think this way ?
well, I don't really think there is a need for that (and I gave an
example the last time that being conservative might mean being more secure,
not less) but I understand that you might want to run latest OpenSSH and
nothing else.
Jan.
--
Jan Pechanec
_______________________________________________
opensolaris-discuss mailing list
[email protected]
