Forcing encryption algorithms on server side
Darren Tucker
dtucker at zip.com.au
Sun Sep 17 10:33:56 EST 2006
James Maniotis wrote:
> As the man pages say, you can force an encryption algorithm from the
> server side by use of the "Cipher" command.
On the server side it's "Ciphers". Be aware that it applies only to
Protocol 2.
> How would one verify this is working? Thanks.
Run the client in debug mode (eg "ssh -vv yourserver"). Amongst the
output, you will see something like this:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,[...]
debug2: kex_parse_kexinit: 3des-cbc,arcfour
debug2: kex_parse_kexinit: 3des-cbc,arcfour
The lines after the "reserved" one are the key exchange methods,
signature and ciphers offered by the server.
and a bit further down you will see something like this, which indicates
which cipher, MAC and compression were selected:
debug2: mac_init: found hmac-md5
debug1: kex: client->server arcfour hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client arcfour hmac-md5 none
In this example, the server offered the 3des-cbc and arcfour ciphers,
and the client picked arcfour.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list