[erlang-bugs] Erlang R13B01 ssh-1.1.3 cipher key matching bug and documentation errors

Niclas Eklund nick@REDACTED
Sat Sep 5 19:40:07 CEST 2009


Thank you for the input. At some parts will make it into R13B02.

Niclas @Erlang/OTP

On Sun, 12 Jul 2009, Kenji Rikitake wrote:

> Here's a list of bugs/documentation errors of ssh-1.1.3 for R13B01 which
> I experienced yesterday.
> * [bug] ssh:shell/3 and ssh:connect/3 do not crash immediately even if
>  they fail to negotiate the cipher to use, and hang forever
>  How to reproduce:
>  set NOT to accept 3des-cbc as a cipher on the server
>  (in OpenSSH, set Ciphers directive at sshd_config, *excluding* 3des-cbc)
>  Possible reason: failure of finding a matching cipher does not throw
>  an exception immediately (I haven't tested yet).
>  FYI: on Portable OpenSSH 5.1 for FreeBSD slogin client, it will turn
>  out to be something like the following:
> -- quote --
> debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> no matching cipher found: client 3des-cbc server aes128-ctr,blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc
> -- unquote --
> * [documentation error] ssh manual should include that the current ssh
>  module only supports the following crypto parameters of SSH Version 2
>  protocol: (my opinion follows later in this message)
>  cipher: 3des-cbc only
>  MACs: hmac-sha1 only
> * [documentation error] ssh manual should include that only an
>  *unencrypted* private key is supported for ssh_rsa public key
>  authentication.
>  The manual should also note that private keys for public key
>  authentication used for interactive logins are mostly encrypted so
>  cannot be used for the time being.
> * [documentation error] ssh:connect/1 and ssh:connect/2 no longer exist,
>  but still documented. Description for those old functions should be
>  eliminated, and requirement to use ssh:connect/3 instead should be
>  described.
> * [my opinion] I personally think only supporting 3des-cbc is *archaic*
>  and insufficient; implementing at least stronger ciphers such as
>  aes128-cbc and aes256-cbc, or even blowfish-cbc, should be considered
>  ASAP, regarding the strength of the ciphers.
> Regards,
> Kenji Rikitake
> ________________________________________________________________
> erlang-bugs mailing list. See http://www.erlang.org/faq.html
> erlang-bugs (at) erlang.org

More information about the erlang-questions mailing list