Bug#806962: No supported cipher blowfish breaks systems
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Am Do den 3. Dez 2015 um 17:36 schrieb Colin Watson:
> On Thu, Dec 03, 2015 at 05:11:17PM +0100, Klaus Ethgen wrote:
> > Am Do den 3. Dez 2015 um 16:23 schrieb Colin Watson:
> > > (http://www.openssh.com/txt/release-7.1) but it hasn't been yet. I just
> > > diffed 1:6.9p1-3 against 1:7.1p1-1 and there are no changes affecting
> > > blowfish; furthermore, the 7.1 client still advertises blowfish-cbc.
> >
> > In earlier versions, blowfish cipher was named "blowfish" not
> > "blowfish-cbc". So many (as mine) configurations have configured "Cipher
> > blowfish" (Client). That is breaking. In fact, the solution is
> > "blowfish" -> "blowfish-cbc" but that has to be done before the upgrade.
> > After upgrade it might be not possible anymore.
>
> Ah, so this is not quite accurate. "blowfish" is an SSH1-only cipher
> name, and as far as I can tell was never effective for SSH2. OpenSSH
> 7.0 disables protocol 1, which is perhaps why you're seeing "blowfish"
> no longer doing anything.
That might be, but configurations regarding that was still possible.
With current systems that configuration is an error and ssh fails to
work at all.
> But of course you can make this change after upgrade - it's client-side.
And if you have ssh-with-key-only root on some systems, it is very hard
to change that setting in global ssh_config.
Why do you bristle that much against documenting that in NEWS.debian.gz
where it should be!? Currently it is not even mentioned in changelog.
> and if you are going to make this kind of
> choice then you need to own the fact that you'll have to keep it up to
> date, or maintain your own fork of OpenSSH. Debian will stick with
> mainline upstream choices here.
Yea, I still have to have my own debian package of openssh due the fact
that debian is _not_ sticking to mainline upstream choices and have some
questionable patches in the package. Patches that upstream refused for
security reasons. It would be not really more work to enable that too
here.
However, I also wrote a mail to upstream regarding that decision. I do
not only want to only my systems being secure, I want to have that
opportunity for others too. If blowfish is dropped from debian package,
that would cut many others from using a secure algorithm. And I know
many people that do not give a shit for security and just use lower
secure algorithms.
Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJWYHKGAAoJEKZ8CrGAGfasVlkMAILfw5/ChFCkVLwZ3kAmZFH0
u7GLcYGU/8Eyy5mgTP6kFhqPOsFCRwctOXoeu45OHI8KSSuYzPTrzuorKutIeZw9
XBX6T64LWVN9gCLO7bPL1Z8kK7RwK8Ox9fxXLrNYazjXx0sYRafXGbIu62HVEUTD
0z0BZ9PTDZCHaE/GBOtwFaP0B0u/xYwKjuvp3oSmDglsiz+5WVtjQyJ456bJHzeM
qgFU6VDmJcAzFSBbc45P5wvXQRIfm+6UouYBEJ43r381OeXQI0xxPSLBnp7M7Iwy
fPfzpi3F72GJqUPsvoBROJd9AbWZ23su5DZ1DNX2ZDPteenskdGK6fWRrm6gfLC8
Uw2xZTRGeGtEhMc9njw9ER6AAkgMvWbiQrc3BMLNI9Z+SXgFfSujH+DCtfSbxc6M
LznYvPoFKWqhcJvAdUISEomJeCHISJDYbby/MJyX634JPbDNhJ90k98APffkFBCu
hN+IlIJDP2RqkaWA794Wgio8Vhga2I5PSW6gcaq14g==
=cR58
-----END PGP SIGNATURE-----
Reply to: