From owner-freebsd-security  Thu Oct  4  3:24: 9 2001
Delivered-To: freebsd-security@freebsd.org
Received: from faui02.informatik.uni-erlangen.de (faui02.informatik.uni-erlangen.de [131.188.30.102])
	by hub.freebsd.org (Postfix) with ESMTP id 1F3D037B406
	for <security@FreeBSD.ORG>; Thu,  4 Oct 2001 03:24:04 -0700 (PDT)
Received: (from msfriedl@localhost)
	by faui02.informatik.uni-erlangen.de (8.9.1/8.1.16-FAU) id MAA22519; Thu, 4 Oct 2001 12:23:45 +0200 (MEST)
Date: Thu, 4 Oct 2001 12:23:45 +0200
From: Markus Friedl <markus@Openbsd.org>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Peter Pentchev <roam@ringlet.net>,
	Zvezdan Petkovic <zvezdan@CS.WM.EDU>, security@FreeBSD.ORG,
	openssh@Openbsd.org
Subject: Re: default cipher types in openssh
Message-ID: <20011004122345.A18375@faui02.informatik.uni-erlangen.de>
References: <20011004011840.74747.qmail@web13904.mail.yahoo.com> <20011003221421.A28053@dali.cs.wm.edu> <20011004104839.A1959@ringworld.oblivion.bg> <20011004024425.A47260@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <20011004024425.A47260@xor.obsecurity.org>; from kris@obsecurity.org on Thu, Oct 04, 2001 at 02:44:26AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Oct 04, 2001 at 02:44:26AM -0700, Kris Kennaway wrote:
> On Thu, Oct 04, 2001 at 10:48:39AM +0300, Peter Pentchev wrote:
> > On Wed, Oct 03, 2001 at 10:14:21PM -0400, Zvezdan Petkovic wrote:
> > > According to the above we just need to update the stable branch to
> > > 2.9.9, or at least the port (which seems to be on the way).
> > > Other people probably know what would be better solution.
> > 
> > -STABLE is at 2.9.0 as of September 28th.  It seems to use AES128 now, too.
> 
> Hmm, I didn't even know it could do that :)
> 
> Someone needs to update the usage message for ssh:
> 
>   -c cipher   Select encryption algorithm: ``3des'', ``blowfish''

the ssh binary says:

  -c cipher   Select encryption algorithm

the manpage says:

     -c blowfish|3des|des
             Selects the cipher to use for encrypting the session.  3des is
             used by default.  It is believed to be secure.  3des (triple-des)
             is an encrypt-decrypt-encrypt triple with three different keys.
             blowfish is a fast block cipher, it appears very secure and is
             much faster than 3des. des is only supported in the ssh client
             for interoperability with legacy protocol 1 implementations that
             do not support the 3des cipher.  Its use is strongly discouraged
             due to cryptographic weaknesses.

     -c cipher_spec
             Additionally, for protocol version 2 a comma-separated list of
             ciphers can be specified in order of preference.  See Ciphers for
             more information.

perhaps we should merge the 2 entries.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message