Re: [ssh] Host key sync - "global-requests-ok" extension

To: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>, "ietf-ssh%netbsd.org@localhost" <ietf-ssh%netbsd.org@localhost>
Subject: Re: [ssh] Host key sync - "global-requests-ok" extension
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Wed, 19 Dec 2018 12:46:27 -0600

You're focusing on an outdated aspect of the spec instead of widelyknown best practice.

CBC algorithms are known to have security problems in the way they areused in SSH. They haven't been recommended for use in years.

If we ship the SSH Server with CBC algorithms enabled, we get supportcases from users failing security scans.



On 2018-12-19 04:24, Peter Gutmann wrote:

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

Do you have a test server up that we can run clients against?

We do now:

ssh -P 10999 test%experiment.bitvise.com@localhost

You know how I complained about OpenSSH not supporting any of the MTI
symmetric ciphers in the SSH spec?  Well...

Error: No algorithm compatible with the remote system's selection was found: 'aes256-gcm%openssh.com@localhost,aes128-gcm%openssh.com@localhost,aes256-ctr,aes192-ctr,aes128-ctr,3des-ctr'.

Peter.

Follow-Ups:
- Re: [ssh] Host key sync - "global-requests-ok" extension
  - From: Peter Gutmann

References:
- [ssh] Host key sync - "global-requests-ok" extension
  - From: ietf-ssh3
- Re: [ssh] Host key sync - "global-requests-ok" extension
  - From: Peter Gutmann
- Re: [ssh] Host key sync - "global-requests-ok" extension
  - From: denis bider
- Re: [ssh] Host key sync - "global-requests-ok" extension
  - From: Peter Gutmann

Prev by Date: Re: [ssh] Host key sync - "global-requests-ok" extension
Next by Date: Re: [ssh] Host key sync - "global-requests-ok" extension
Previous by Thread: Re: [ssh] Host key sync - "global-requests-ok" extension
Next by Thread: Re: [ssh] Host key sync - "global-requests-ok" extension
Indexes:

Home | Main Index | Thread Index | Old Index