From owner-freebsd-security@FreeBSD.ORG Sat Sep 28 16:41:20 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id ED557F8A for ; Sat, 28 Sep 2013 16:41:19 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CBC1525A3 for ; Sat, 28 Sep 2013 16:41:19 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r8SGfJdw033739 for ; Sat, 28 Sep 2013 16:41:19 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r8SGfJ0X033736 for freebsd-security@freebsd.org; Sat, 28 Sep 2013 16:41:19 GMT (envelope-from bdrewery) Received: (qmail 6808 invoked from network); 28 Sep 2013 11:41:17 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 28 Sep 2013 11:41:17 -0500 Message-ID: <524706A0.1040804@FreeBSD.org> Date: Sat, 28 Sep 2013 11:41:04 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: Garrett Wollman Subject: Re: fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] References: <20983.43801.355884.938326@hergotha.csail.mit.edu> <51F7B3AD.1060703@sentex.net> <20983.47182.194861.736615@hergotha.csail.mit.edu> In-Reply-To: <20983.47182.194861.736615@hergotha.csail.mit.edu> X-Enigmail-Version: 1.5.2 OpenPGP: id=3C9B0CF9; url=http://www.shatow.net/bryan/bryan.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="F9esMtJB5VCWcUFJNM4Tscx6XF8cKxjoC" X-Mailman-Approved-At: Sat, 28 Sep 2013 18:03:31 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Sep 2013 16:41:20 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --F9esMtJB5VCWcUFJNM4Tscx6XF8cKxjoC Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 7/30/2013 7:57 AM, Garrett Wollman wrote: > [Cc added, bdrewery@ who is the maintainer of security/openssh-portable= ] >=20 > < sai= d: >=20 >> http://lists.freebsd.org/pipermail/svn-src-head/2013-May/047921.html >=20 >> Change the default in /etc/ssh/sshd_config to >=20 > No /etc/ssh here; this is ports openssh, not base (which doesn't exist > in my world). >=20 >> UsePrivilegeSeparation yes >=20 >> as it sounds like you have hardware crypto on the box and you are usin= g >> UsePrivilegeSeparation sandbox >> which is broken >=20 > However, this fix does work (in /usr/local/etc/ssh/sshd_config). > Apparently security/openssh-portable needs a fix similar to the base > system head/crypto/openssh r251088. >=20 > -GAWollman >=20 Yup. I didn't realize I had put that into the port. Fixed for upcoming 6.3. Thanks, Bryan Drewery --F9esMtJB5VCWcUFJNM4Tscx6XF8cKxjoC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSRwagAAoJEG54KsA8mwz5Z8QP/1VMgZFxn1XqpE2Hbhp9miCR GZTHgnFqyYslt2/HyV82qTNcymHeSb4R4j4jBEo2eS/NC5eNBWc9Bl7juTrKlVF5 sc1yZVmbF/GoleJkKR0mhc7VqaPBc1l81WklrrYAivG5QV+GlfCylCEoGha8VluI N/qVvNg1VBSiZAahA9ZV4wJvdvLuB0jDzenwEYivyn3Q7PpiJmAaSj2WkPrtO3Ct FWXTT0LWh58qH3YRuX1CTCCEouzLOl/tWHndaV3w2QaRzH5oxvzn/QTkaguxp1Be /BVPDPbYDBKJ3SQFvRUcrrCzZdA3ROa+czM5Va5MM+XyOqYBRKAHInipuP9KPc55 fzq0CKLx1FkWhXFLxu948zqqCTCvY3l8V5RdJISrOnYY8lkfKaEpvGnF6T8k6Z8P 95YwTnUILfgEAepzUMLe7kGB9p1DpK3NwcBOvniV+jZ3hXr9m+c5N4gFS/qBQSFq kYq8/yrYyflLknLwRlCezF16ila+lhikx+vi1hqsoW/Nz16oIktT9grEfGxiEr5I WrWUYiWcb2EmxbXJAhcnSlQ7vbjipsHYzviUz1pYqAzWiyJ2WYyVfbyUeNp4yWBk WGkzHcgjMChMSGGyeguFvI5wzqWmIf/1p+UCVcumwwhT8771yZOOluM4sU7xnI+E wuRDQWgiwe8+k4fl1Eao =jXDC -----END PGP SIGNATURE----- --F9esMtJB5VCWcUFJNM4Tscx6XF8cKxjoC--