Bug#806962: No supported cipher blowfish breaks systems

[Colin Watson <cjwatson@debian.org>]

On Thu, Dec 03, 2015 at 05:11:17PM +0100, Klaus Ethgen wrote:
> Am Do den  3. Dez 2015 um 16:23 schrieb Colin Watson:
> > (http://www.openssh.com/txt/release-7.1) but it hasn't been yet.  I just
> > diffed 1:6.9p1-3 against 1:7.1p1-1 and there are no changes affecting
> > blowfish; furthermore, the 7.1 client still advertises blowfish-cbc.
> 
> In earlier versions, blowfish cipher was named "blowfish" not
> "blowfish-cbc". So many (as mine) configurations have configured "Cipher
> blowfish" (Client). That is breaking. In fact, the solution is
> "blowfish" -> "blowfish-cbc" but that has to be done before the upgrade.
> After upgrade it might be not possible anymore.

Ah, so this is not quite accurate.  "blowfish" is an SSH1-only cipher
name, and as far as I can tell was never effective for SSH2.  OpenSSH
7.0 disables protocol 1, which is perhaps why you're seeing "blowfish"
no longer doing anything.

But of course you can make this change after upgrade - it's client-side.

> Due to the deprecation note, that is a big issue. I never trust AES from
> the fact how it was choosen above twofish. With purging support for
> blowfish, that would leave not many trusted alternatives anymore.

chacha20-poly1305@openssh.com is a nice alternative for modern systems;
but at any rate I am certainly not going to get into your political
issues with cryptography, and if you are going to make this kind of
choice then you need to own the fact that you'll have to keep it up to
date, or maintain your own fork of OpenSSH.  Debian will stick with
mainline upstream choices here.

There've been quite a few real attacks against CBC mode ciphers in SSH,
though (e.g. http://www.openssh.com/txt/cbc.adv), so I would recommend
that you reconsider your choice.

-- 
Colin Watson                                       [cjwatson@debian.org]