Default forwarding features; default cipher

Jim Knoble jmknoble at pobox.com
Fri Oct 26 01:37:57 EST 2001 

Circa 2001-Oct-25 10:15:45 -0400 dixit Ed Phillips:

: On Wed, 24 Oct 2001, Jim Knoble wrote:
: > Are you sure you're reading the default ssh_config file, and that
: > you're reading it correctly?  To my recollection, the default
: > ssh_config file is "empty" (i.e., contains no non-blank, uncommented
: 
: Right... I meant the comments that supposedly list the options and their
: defaults - which may be out of date.  I find it useful if it's correct.

I suspect that interpretation isn't quite spot on:

  $ pwd
  /home/jmknoble/openssh-2.9.9p2
  $ grep -i '^#[ ]*cipher\>' /etc/ssh/ssh_config
  #   Cipher blowfish
  $ fgrep ssh_cipher_default *.c
  sshconnect1.c:  int ssh_cipher_default = SSH_CIPHER_3DES;
                                          ^^^^^^^^^^^^^^^^^^
  sshconnect1.c:          if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
  sshconnect1.c:                  options.cipher = ssh_cipher_default;
  sshconnect1.c:              cipher_name(ssh_cipher_default));
  sshconnect1.c:          options.cipher = ssh_cipher_default;
  $ 

I'd accept the opinion of the manual page over the comments in the
default config file.

: > [...] For SSH protocol v2, the 'Ciphers' (plural) keyword applies;
: > the default configuration asks for 'aes128-cbc' first.
: 
: Okay... what is aes128?

http://slashdot.org/article.pl?sid=00/10/02/1627222&mode=thread
http://csrc.nist.gov/encryption/aes/

: > That said, i don't know of any reason for you not to configure "Cipher
: > blowfish" and "Ciphers blowfish-cbc,..." as defaults.  Blowfish is a
: > fast cipher, and it's been around for quite a while....
: 
: I'd like to use the one that is accepted as being fast yet strong... ;-)

Feel free:

http://www.counterpane.com/hotlist.html
http://www.eskimo.com/~weidai/algorithms.html
http://www.cs.berkeley.edu/~daw/crypto.html
http://www.cryptography.org/

-- 
jim knoble | jmknoble at pobox.com   | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20011025/9d7a9ac0/attachment.bin

More information about the openssh-unix-dev mailing list