Default forwarding features; default cipher

Jim Knoble jmknoble at pobox.com
Thu Oct 25 06:26:11 EST 2001


Circa 2001-Oct-24 14:49:47 -0400 dixit Ed Phillips:

: I guess the only gotcha is that you have to enable X11 forwarding in
: sshd_config.  It appears that by default "ssh -X" is silently
: ignored on the server side, and "ssh -A" works fine... and normally
: you get no forwarding from the client without adding the "-A" or
: "-X".  Is this correct?

Yes, that's correct.  Both the server and the client must explicitly
allow X11 forwarding; the default configuration allows it in neither
place.

: By the way, I notice in the stock ssh_config, it would appear that
: "blowfish" is the default cipher.  Is this used for speed or because
: it provides the best security or both?

Are you sure you're reading the default ssh_config file, and that
you're reading it correctly?  To my recollection, the default
ssh_config file is "empty" (i.e., contains no non-blank, uncommented
lines).  According to the man page, the default value for the 'Cipher'
keyword is '3des'.  The 'Cipher' (singular) keyword, however, is only
for SSH protocol v1.  For SSH protocol v2, the 'Ciphers' (plural)
keyword applies; the default configuration asks for 'aes128-cbc' first.

That said, i don't know of any reason for you not to configure "Cipher
blowfish" and "Ciphers blowfish-cbc,..." as defaults.  Blowfish is a
fast cipher, and it's been around for quite a while....

-- 
jim knoble | jmknoble at pobox.com   | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20011024/c22b14f5/attachment.bin 


More information about the openssh-unix-dev mailing list