[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#806962: No supported cipher blowfish breaks systems

Hash: SHA512

Am Do den  3. Dez 2015 um 17:36 schrieb Colin Watson:
> On Thu, Dec 03, 2015 at 05:11:17PM +0100, Klaus Ethgen wrote:
> > Am Do den  3. Dez 2015 um 16:23 schrieb Colin Watson:
> > > (http://www.openssh.com/txt/release-7.1) but it hasn't been yet.  I just
> > > diffed 1:6.9p1-3 against 1:7.1p1-1 and there are no changes affecting
> > > blowfish; furthermore, the 7.1 client still advertises blowfish-cbc.
> > 
> > In earlier versions, blowfish cipher was named "blowfish" not
> > "blowfish-cbc". So many (as mine) configurations have configured "Cipher
> > blowfish" (Client). That is breaking. In fact, the solution is
> > "blowfish" -> "blowfish-cbc" but that has to be done before the upgrade.
> > After upgrade it might be not possible anymore.
> Ah, so this is not quite accurate.  "blowfish" is an SSH1-only cipher
> name, and as far as I can tell was never effective for SSH2.  OpenSSH
> 7.0 disables protocol 1, which is perhaps why you're seeing "blowfish"
> no longer doing anything.

That might be, but configurations regarding that was still possible.
With current systems that configuration is an error and ssh fails to
work at all.

> But of course you can make this change after upgrade - it's client-side.

And if you have ssh-with-key-only root on some systems, it is very hard
to change that setting in global ssh_config.

Why do you bristle that much against documenting that in NEWS.debian.gz
where it should be!? Currently it is not even mentioned in changelog.

> and if you are going to make this kind of
> choice then you need to own the fact that you'll have to keep it up to
> date, or maintain your own fork of OpenSSH.  Debian will stick with
> mainline upstream choices here.

Yea, I still have to have my own debian package of openssh due the fact
that debian is _not_ sticking to mainline upstream choices and have some
questionable patches in the package. Patches that upstream refused for
security reasons. It would be not really more work to enable that too

However, I also wrote a mail to upstream regarding that decision. I do
not only want to only my systems being secure, I want to have that
opportunity for others too. If blowfish is dropped from debian package,
that would cut many others from using a secure algorithm. And I know
many people that do not give a shit for security and just use lower
secure algorithms.

- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
Version: GnuPG v1


Reply to: