Thursday Jul 30, 2009

SSH with aes256ctr support not working on some S10 systems

I've been getting emails today about SSH aes256ctr being broken on some Solaris 10 machines.

This goes back to my work earlier to get strong crypto included by default on all Solaris 10 systems.  This started in Solaris 10 Update 4, and I guess I figured everyone would read my blog, jump for joy and upgrade their systems. ;-)

It seems some of you haven't and are now seeing errors like:

sshd[8975]: [ID 800047 auth.crit] fatal: matching cipher is not supported: aes256-ctr

Which is a direct result of Sun's SSH now taking advantage of  the presumed availability of strong crypto on the systems.  This works fantastically well on newer Solaris 10 systems.

This issue is now covered by a bug, and you can see one workaround there.

Let's assume you \*do\* want strong crypto, though, and you want to stay on an older release of Solaris 10. In which case, you need to install the original S10 version of SUNWcry and SUNWcryr onto these older Solaris 10 systems and reapply all cryptographic framework patches.  The packages are available as part of the Solaris 10 Encryption Kit. You need to reapply the patches, because when you installed them before SUNWcry & SUNWcryr were not on the system, so would've missed all the patching goodness for their bits.  It's important that you do this, or you will end up with mismatched bits for the cryptographic framework, which will have undefined (ie probably not good) results.


Thursday Dec 18, 2008

encrypt command will suddenly no longer be annoying!

Thanks to a fix from Dina Nimeh's latest push of changeset 27f403fbf8ca, the next OpenSolaris release will now prompt you twice for the passphrase it uses to generate the key to encrypt your data with. This is a long overdue change, one that I can't believe we didn't do sooner. The way we implemented it before, it was too easy to lose your data if you made a mistake the first time you put in your passphrase. Yay!
About

Valerie's former weblog. The new one can be found at http://bubbva.blogspot.com/

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today