encryption protocols - are there any that are not secure in ssh?
From: Randall M Gunning (securityfocus_at_randygunning.com)
To: <firstname.lastname@example.org> Date: Tue, 4 May 2004 09:22:39 -0700
Recently, I had a user complain that he could not connect via ssh (or scp)
to a remote system (outside of our company) after an upgrade to Solaris 9
from Solaris 7. After doing some research, I found that the remote system
only allowed the arcfour encryption protocol. I contacted the system admin
for that system to find out why and the response I received was –
>Due to a security advisory years ago, we were advised that all cyphers
>other than arcfour were susceptible to some form of security breaches
>and advised to turn them off on all departmental machines. That hasn't
>caused any problems with clients up until now.
>I don't know the exact nature of the problem, nor if I could find the
>advisory from back then, but that's why xxx set up as it is.
So, my question to the list is: Are there any known issues with the
enryption protocols (blowfish, des, 3des, arcfour) that I should be worried
about? Should I try to convince the other System Administrator to add one of
the other protocols back?
Adding the arcfour protocol to our systems would mean installing openssh for
Solaris. The ssh that comes bundled with Solaris 9 and 10 does not support
arcfour for some reason, Sun says they may add it in Solaris 10 at a later
time. I really do not want to add another software package that needs to be
maintained (this is primarily a maintenance issue, we run plenty of open
source software here).
One way or another, I have to get the systems to talk to each other so the
user can send his files.