NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/49297: openssh update broke sshd



We should add a readme file, document this in the man page, and perhaps warn in ssh about old ciphers that are going away. Having said that, I don't think that we should change the default configuration because while it will fix the problem for netbsd, it will not fix it for other implementations.

christos

> On Oct 21, 2014, at 9:15 AM, Martin Husemann <martin%duskware.de@localhost> wrote:
> 
> The following reply was made to PR bin/49297; it has been noted by GNATS.
> 
> From: Martin Husemann <martin%duskware.de@localhost>
> To: Christos Zoulas <christos%zoulas.com@localhost>
> Cc: gnats-bugs%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
> Subject: Re: bin/49297: openssh update broke sshd
> Date: Tue, 21 Oct 2014 15:10:08 +0200
> 
>> On Tue, Oct 21, 2014 at 09:02:17AM -0400, Christos Zoulas wrote:
>> Yes, they removed a whole bunch of ciphers because they are not supporting
>> them anymore. We could either consider bringing them back, or you need to
>> upgrade your windows ssh to something newer.
> 
> Indeed, and the log messages were only partly helpfull (the cipher string
> was loged, but the key exchange I had to trial&error).
> 
> For the record, adding this to /etc/ssh/sshd_conf worked around it for me:
> 
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm%openssh.com@localhost,aes256-gcm%openssh.com@localhost,chacha20-poly1305%openssh.com@localhost,aes128-cbc
> 
> KexAlgorithms curve25519-sha256%libssh.org@localhost,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> 
> 
> I wonder how we best should document the issue to avoid folks locking them
> out accidently on update.
> 
> Martin
> 


Home | Main Index | Thread Index | Old Index