--On Wednesday, January 28, 2009 11:50:49 AM +0100 Jan Pechanec <Jan.Pechanec at Sun.COM> wrote:
> On Tue, 27 Jan 2009, Nicolas Williams wrote: > >> On Tue, Jan 27, 2009 at 11:31:07PM +0100, Jan Pechanec wrote: >>> could you give me an example? All clients I checked had AES-CTR or >>> arcfour support. I'm sure there are some but I don't believe they would >>> be widely used. The problem for us was that S9 machines were shipped >>> with explicit Ciphers setting which didn't contain AES-CTR nor >>> arcfour, not that the server itself wouldn't support them as such. >> >> I sent you a list of all the clients I looked at, and many had only CBC >> mode ciphers, though all such clients were marginal clients (e.g., Ruby >> Net:SSH has only CBC mode ciphers, but Perl Net:SSH has arcfour, the >> palm ssh client has only CBC mode ciphers, ...). > > I found the email and it seems to me that only pssh and > Ruby's Net:SSH were mentioned as not capable of AES-CTR nor arcfour. > > I checked again quite a few clients today, including those in > Dropbear, TeraTerm, AbsoluteTelnet, putty, libssh2, lsh, cURL, Tectia, > VanDyke - all support either AES-CTR or arcfour (or both). > > there are some implementations that are commercial with no info on > cipher modes availabe, PenguinNet, for example. > > I'm wondering what were those clients that Jeff hit when trying to > convert to CTR modes. One was pssh, for which I still have no updated version. We also had problems with older versions of putty and xwin32, but I believe both of those were fixed by upgrading. I don't know whether other clients were affected; I didn't handle most of the reports directly. I do know we had problems with the servers in some cisco equipemnt not supporting ctr modes. I imagine their client has the same problem, unless it has been fixed in a newer version. -- Jeff