NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/49297: openssh update broke sshd



The following reply was made to PR bin/49297; it has been noted by GNATS.

From: Christos Zoulas <christos%zoulas.com@localhost>
To: "gnats-bugs%NetBSD.org@localhost" <gnats-bugs%NetBSD.org@localhost>
Cc: "gnats-admin%netbsd.org@localhost" <gnats-admin%netbsd.org@localhost>,
 "netbsd-bugs%netbsd.org@localhost" <netbsd-bugs%netbsd.org@localhost>,
 "martin%NetBSD.org@localhost" <martin%NetBSD.org@localhost>
Subject: Re: bin/49297: openssh update broke sshd
Date: Tue, 21 Oct 2014 10:34:00 -0400

 We should add a readme file, document this in the man page, and perhaps warn=
  in ssh about old ciphers that are going away. Having said that, I don't thi=
 nk that we should change the default configuration because while it will fix=
  the problem for netbsd, it will not fix it for other implementations.
 
 christos
 
 > On Oct 21, 2014, at 9:15 AM, Martin Husemann <martin%duskware.de@localhost> wrote:
 >=20
 > The following reply was made to PR bin/49297; it has been noted by GNATS.
 >=20
 > From: Martin Husemann <martin%duskware.de@localhost>
 > To: Christos Zoulas <christos%zoulas.com@localhost>
 > Cc: gnats-bugs%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
 > Subject: Re: bin/49297: openssh update broke sshd
 > Date: Tue, 21 Oct 2014 15:10:08 +0200
 >=20
 >> On Tue, Oct 21, 2014 at 09:02:17AM -0400, Christos Zoulas wrote:
 >> Yes, they removed a whole bunch of ciphers because they are not supportin=
 g
 >> them anymore. We could either consider bringing them back, or you need to=
 
 >> upgrade your windows ssh to something newer.
 >=20
 > Indeed, and the log messages were only partly helpfull (the cipher string
 > was loged, but the key exchange I had to trial&error).
 >=20
 > For the record, adding this to /etc/ssh/sshd_conf worked around it for me:=
 
 >=20
 > Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm%openssh.com@localhost,aes256-gcm=
 @openssh.com,chacha20-poly1305%openssh.com@localhost,aes128-cbc
 >=20
 > KexAlgorithms curve25519-sha256%libssh.org@localhost,ecdh-sha2-nistp256,ecdh-sha2-ni=
 stp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellma=
 n-group14-sha1,diffie-hellman-group1-sha1
 >=20
 >=20
 > I wonder how we best should document the issue to avoid folks locking them=
 
 > out accidently on update.
 >=20
 > Martin
 >=20
 


Home | Main Index | Thread Index | Old Index