[erlang-bugs] Erlang R13B01 ssh-1.1.3 cipher key matching bug and documentation errors
Niclas Eklund
nick@REDACTED
Sat Sep 5 19:40:07 CEST 2009
Hello!
Thank you for the input. At some parts will make it into R13B02.
Niclas @Erlang/OTP
On Sun, 12 Jul 2009, Kenji Rikitake wrote:
> Here's a list of bugs/documentation errors of ssh-1.1.3 for R13B01 which
> I experienced yesterday.
>
> * [bug] ssh:shell/3 and ssh:connect/3 do not crash immediately even if
> they fail to negotiate the cipher to use, and hang forever
>
> How to reproduce:
> set NOT to accept 3des-cbc as a cipher on the server
> (in OpenSSH, set Ciphers directive at sshd_config, *excluding* 3des-cbc)
>
> Possible reason: failure of finding a matching cipher does not throw
> an exception immediately (I haven't tested yet).
>
> FYI: on Portable OpenSSH 5.1 for FreeBSD slogin client, it will turn
> out to be something like the following:
>
> -- quote --
> debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> no matching cipher found: client 3des-cbc server aes128-ctr,blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc
> -- unquote --
>
> * [documentation error] ssh manual should include that the current ssh
> module only supports the following crypto parameters of SSH Version 2
> protocol: (my opinion follows later in this message)
>
> cipher: 3des-cbc only
> MACs: hmac-sha1 only
>
> * [documentation error] ssh manual should include that only an
> *unencrypted* private key is supported for ssh_rsa public key
> authentication.
>
> The manual should also note that private keys for public key
> authentication used for interactive logins are mostly encrypted so
> cannot be used for the time being.
>
> * [documentation error] ssh:connect/1 and ssh:connect/2 no longer exist,
> but still documented. Description for those old functions should be
> eliminated, and requirement to use ssh:connect/3 instead should be
> described.
>
> * [my opinion] I personally think only supporting 3des-cbc is *archaic*
> and insufficient; implementing at least stronger ciphers such as
> aes128-cbc and aes256-cbc, or even blowfish-cbc, should be considered
> ASAP, regarding the strength of the ciphers.
>
> Regards,
> Kenji Rikitake
>
>
> ________________________________________________________________
> erlang-bugs mailing list. See http://www.erlang.org/faq.html
> erlang-bugs (at) erlang.org
>
More information about the erlang-questions
mailing list