Erlang R13B01 ssh-1.1.3 cipher key matching bug and documentation errors
Kenji Rikitake
kenji.rikitake@REDACTED
Sun Jul 12 04:56:46 CEST 2009
Here's a list of bugs/documentation errors of ssh-1.1.3 for R13B01 which
I experienced yesterday.
* [bug] ssh:shell/3 and ssh:connect/3 do not crash immediately even if
they fail to negotiate the cipher to use, and hang forever
How to reproduce:
set NOT to accept 3des-cbc as a cipher on the server
(in OpenSSH, set Ciphers directive at sshd_config, *excluding* 3des-cbc)
Possible reason: failure of finding a matching cipher does not throw
an exception immediately (I haven't tested yet).
FYI: on Portable OpenSSH 5.1 for FreeBSD slogin client, it will turn
out to be something like the following:
-- quote --
debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
no matching cipher found: client 3des-cbc server aes128-ctr,blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc
-- unquote --
* [documentation error] ssh manual should include that the current ssh
module only supports the following crypto parameters of SSH Version 2
protocol: (my opinion follows later in this message)
cipher: 3des-cbc only
MACs: hmac-sha1 only
* [documentation error] ssh manual should include that only an
*unencrypted* private key is supported for ssh_rsa public key
authentication.
The manual should also note that private keys for public key
authentication used for interactive logins are mostly encrypted so
cannot be used for the time being.
* [documentation error] ssh:connect/1 and ssh:connect/2 no longer exist,
but still documented. Description for those old functions should be
eliminated, and requirement to use ssh:connect/3 instead should be
described.
* [my opinion] I personally think only supporting 3des-cbc is *archaic*
and insufficient; implementing at least stronger ciphers such as
aes128-cbc and aes256-cbc, or even blowfish-cbc, should be considered
ASAP, regarding the strength of the ciphers.
Regards,
Kenji Rikitake
More information about the erlang-questions
mailing list