heads-up: relaxed fix for SunSSH cipher list change
Date: Fri, 30 Jan 2009 14:00:17 +0100 (CET) From: Jan Pechanec <Jan.Pechanec at sun dot com> To: onnv-gate at onnv dot eng dot sun dot com, on-all at eng dot sun dot com Subject: heads-up: relaxed fix for SunSSH cipher list change hi, if you use SSH with Nevada please read this message. a fix for "6761890 ssh protocol security vulnerability may be used to reveal some plaintext" changed both the server and the client default cipher lists in snv_105. More information can be read in my email with a subject "belated heads-up: changing default SunSSH cipher list". from the feedback we got it was clear that the fix was too aggresive on the client side since there were many Solaris boxes with old server configuration originaly taken from S9 FCS that didn't support AES-CTR nor ARCFOUR. the relaxed fix: 6797322 fix for 6761890 in SunSSH is too aggressive puts back all CBC modes to the back of the default client list and was pushed to snv_108, together with updated SSH man pages. Note that we do keep the default server list without CBC modes from the previous fix. That's the only way to force the clients not to choose AES-CBC if it's the first mode on their list. That's majority of existing clients (not SunSSH which prefers AES-CTR-128 since 2004). Many of those clients only now change the ordering, and putting AES-CTR modes at the beginning. the default client list is now: aes128-ctr,aes192-ctr,aes256-ctr,arcfour,aes128-cbc, aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc the default server list is now (ordering is not relevant here): aes128-ctr,aes192-ctr,aes256-ctr,arcfour we checked around 20 different SSH implementations we could found and got only 3 clients that do not support AES-CTR nor ARCFOUR: - pssh (free 3rd party SSH for Palm OS), its latest version is from 2005. I notified the author but not sure if the SW is still alive. - Ruby's Net:SSH. I filed a bug in their tracker. - Cisco IOS SSH in case that you hit such clients and must use them we suggest to add CBC modes in the Ciphers option in the sshd_config file. Some old versions of existing clients I checked may not support AES-CTR/ARCFOUR but newer versions exist that do (Putty, for example, support AES-CTR and ARCFOUR since version 0.59 released 01/2007). a special case is SunSSH_1.0 shipped with S9 FCS. That client also doesn't support AES-CTR/ARCFOUR. The client is old, it contains security bugs and we stronly advise to patch the system. You get SunSSH_1.1 and new cipher modes as a side effect. See "patches" section on SunSSH page for more info: http://www.opensolaris.org/os/community/security/projects/SSH/#patches note that the fix keeps the ability to connect into those unpatched S9 boxes. a note on backporting. The whole fix (6761890 + 6797322) is not just to remove the CBC modes from the server side. The first part of the fix, to mitigate impact on using CBC modes, went to snv_105 with 6761890 and thus will (and should) probably get to s10u7. The default server cipher list change will probably not get there due to unsufficient soak time. We really want this new change be out for some time in case we haven't considered all important scenarios. Given the fact that SunSSH's client already uses AES-CTR-128 as the 1st cipher mode since 2004 we believe that there are no security issues with our approach. thanks, J. ~-- Jan Pechanec
on 2009/11/20 23:48