On Sun, 7 Feb 2010, Thomas Burgess wrote:
>it makes sense but when i tried to enable the cipers in the config file ssh
>refused to start and stayed in maintainence mode. It took me 20 minutes 2
>reboots and 20 commands to get it to start back up....this is really
>frustrating.
>I'd rather just have OpenSSH....
>oh well
>I'll try again i guess
hi Thomas, frankly, if the SSH server refused to start after the
config was changed, it must have been broken which could probably happen
with OpenSSH as well.
on OpenSolaris, SunSSH on the server side does not support CBC
ciphers in its default list, as described in sshd_config man page. It's
been mentioned in other mails why and they can be easily enabled if
needed. Before such change was done, I checked all existing SSH clients
I could possibly found and realized that virtually all of them supported
AES in the CTR mode or some of the RC4 modes. There were minor
exceptions, old and no longer maintained client for PalmOS, for example,
and I filed one or two bugs against other implementations which I think
were even fixed since then.
I also agree with others that using the shipped SSH client with
the MacOS might be a good idea, I really don't like that your client
needs the user's help with specifying what cipher to use. The client is
the one that should know better. The server offers an *unordered* list
of ciphers, and the client is the one that picks. The client should by
default be willing to use only safe ciphers, and that's definitely not
DES. The fact that it even allows you to use DES with SSH protocol 2
seems very suspicious, it's not part of the SSH protocol at all, as
mentioned by Bayard in another email.
cheers, J.
--
Jan Pechanec
http://blogs.sun.com/janp
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
