On Mon, 26 Jan 2009, Frank Greco wrote:
hi Frank,
>After about 6-8 weeks, I think I found out why I was having ssh issues,
>originally just with ssh/putty/securecrt with 101b and then with 105b cvs
>via extssh (in Eclipse and IntelliJ). 98b never had any ssh issues.
>
>Basically the ssh ciphers weren't matching.
>
>Just a quick recap. I could not login into our 101b OpenSolaris box via my
>WinXP using any ssh-based tools such as putty, securecrt, winscp, cygwin
I have no idea why this should not work
>ssh, et al. Upgrading to 105b seemed to fix this problem. However we lost
>connectivity to our cvs server (via extssh) with 105b; Eclipse and IntelliJ
>were getting a weird "algorithm negotiation failure" error.
we removed CBC modes from both client and server default list
because of the inherent security issues with CBC modes in the SSH protocol
2.
>On our box, the attribute "Ciphers" does not explicitly appear in
>/etc/ssh/sshd_config. The manpage says the default values for "Ciphers"
>is: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc,
>aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc.
and didn't make to update the manpages on time.
>Instead of relying on the default, I entered these values into
>/etc/ssh/sshd_config and tried various combinations. After a while, I
>found this combination works: Ciphers aes256-cbc,aes128-cbc,3des-cbc. And
you are using clients that don't support AES CTR nor arcfour. You
should find a client that supports those. See for example:
http://www.kb.cert.org/vuls/id/958563
>it works with 101b and 105b.
>
>Not sure why the default wouldn't work. The Ciphers attribute is supposed
>to contain the *superset* of ciphers matching the ssh client. Perhaps the
no, it's enough if the server supports just one of the clients
ciphers.
>manpage is wrong and the default is *no* Ciphers?
we realized that the fix was too aggressive and I'm working on a fix
right now. We will add those CBC modes back to the client list, to the back
of the list. However, the server will have just AES CTR modes and arcfour as
a default. That we we can force the client not to use CBC modes.
J.
--
Jan Pechanec
