Feature #425
closed
SSH Daemon in v1.2.3+ (including 2.0-Beta1) - Please add 3des-cbc cipher
0%
Description
Hello,
I discovered that my java SSH client (MIDPSSH) for my Blackberry could no longer connect to any pfSense box I had updated to v1.2.3 or newer and posted in the forum. Older builds continue to work.
After working with the developer of a more current SSH client project (BBSSH), the issue was nailed down to a missing cipher in newer versions.
As my client required 3des-cbc, the fix was to make the following change to /etc/sshd :
Original Line :
$sshconf = "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
Changed Line :
$sshconf = "Ciphers 3des-cbc,aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
I'd like to request that this cipher be re-added if possible for future builds.
Thanks in advance!
-- Phob
Updated by Chris Buechler over 15 years ago
- Status changed from New to Rejected
The current list is as it is because of this:
http://www.openssh.com/txt/cbc.adv
This is the first client I've heard of that doesn't support one of those ciphers shown as non-vulnerable there. While that attack is very much a long shot, I don't think we should add a potentially vulnerable cipher for the sake of supporting an obscure SSH client. You can always edit the file manually to accommodate your client.
Updated by Pho Bia over 15 years ago
Chris,
Thanks for your response. Just so you know MIDPSSH (and now the newer BBSSH which is still in development) are in my view the best options for SSH on the Blackberry handheld platform. I know that still makes them somewhat limited in scope, but never the less, I'm surprised this issue hasn't come up previously as Blackberry devices are very popular, and I would think a large number of System/Network Administrator types would use one of those clients.
The author of BBSSH (which is originated with the MIDPSSH code) has told me that he plans to eventually move to the native Blackberry encryption API, so this manual fix will be fine for my purposes.
Thanks for providing the link and reason for the rejection. I know that security is the top priority for the pfSense team, so it is completely understandable!
-- Phob
Updated by Chris Buechler over 15 years ago
I think most people probably don't bother SSHing from mobile devices, or at least I don't as it's impractical. Today was the first time I tried from my iPhone, TouchTerm works fine though.
Updated by Pho Bia over 15 years ago
I have used it often enough both from my Blackberry and on my iPhone. I have most often needed to remotely reconfigure switching gear when it wasn't possible or practical to get to my laptop. Also I will often use it when I'm on site but away from my computer if I'm troubleshootig an issue by myself. Anyway ... clearly it isn't everyone's cup of tea! Thanks again for the clarification on the issue. I actually thought that 3des-CBC was a required cipher for OpenSSH so I didn't even consider that as an issue at first.