- dtucker@cvs.openbsd.org 2004/06/13 14:01:42

[ssh.1 ssh_config.5 sshd_config.5] List supported ciphers in man pages, tidy up ssh -c; "looks fine" jmc@, ok markus@
author: Damien Miller <djm@mindrot.org> 2004-06-15 10:30:39 +1000
committer: Damien Miller <djm@mindrot.org> 2004-06-15 10:30:39 +1000
commit: 05202ffe214115afa24bf6e7a6d8c8457e6759bb (patch)
tree: f3641217991b813f50e30515cd66ab87f4d7786d
parent: f675fc4948b2ec2c9ff86bcdd58e00947f0e319b (diff)
4 files changed, 68 insertions, 17 deletions
diff --git a/ChangeLog b/ChangeLog
index 1d2563ba8..3edf2d19b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,10 @@
     [ssh-keyscan.c sshconnect2.c sshd.c]
     implement diffie-hellman-group14-sha1 kex method (trivial extension to
     existing diffie-hellman-group1-sha1); ok markus@
+   - dtucker@cvs.openbsd.org 2004/06/13 14:01:42
+     [ssh.1 ssh_config.5 sshd_config.5]
+     List supported ciphers in man pages, tidy up ssh -c;
+     "looks fine" jmc@, ok markus@
 20040603
 - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions.
@@ -1204,4 +1208,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3380 2004/06/15 00:30:09 djm Exp $
+$Id: ChangeLog,v 1.3381 2004/06/15 00:30:39 djm Exp $
diff --git a/ssh.1 b/ssh.1
index 203e8f288..6cef0851d 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.188 2004/05/22 16:01:05 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.189 2004/06/13 14:01:42 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -241,8 +241,8 @@ Additionally,
 supports hostbased or challenge response authentication.
 .Pp
 Protocol 2 provides additional mechanisms for confidentiality
-(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)
+(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
-and integrity (hmac-md5, hmac-sha1).
+and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
 Note that protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.
 .Ss Login session and remote execution
@@ -449,13 +449,18 @@ The default value can be set on a host-by-host basis in the
 configuration files; see the
 .Cm Compression
 option.
-.It Fl c Ar blowfish | 3des | des
+.It Fl c Ar cipher_spec
-Selects the cipher to use for encrypting the session.
+Selects the cipher specification for encrypting the session.
-.Ar 3des
+.Pp
-is used by default.
+Protocol version 1 allows specification of a single cipher.
-It is believed to be secure.
+The suported values are
+.Dq 3des ,
+.Dq blowfish
+and
+.Dq des .
 .Ar 3des
 (triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
+It is believed to be secure.
 .Ar blowfish
 is a fast block cipher; it appears very secure and is much faster than
 .Ar 3des .
@@ -467,12 +472,30 @@ that do not support the
 .Ar 3des
 cipher.
 Its use is strongly discouraged due to cryptographic weaknesses.
-.It Fl c Ar cipher_spec
+The default is
-Additionally, for protocol version 2 a comma-separated list of ciphers can
+.Dq 3des .
-be specified in order of preference.
+.Pp
-See
+For protocol version 2
-.Cm Ciphers
+.Ar cipher_spec
-for more information.
+is a comma-separated list of ciphers
+listed in order of preference.
+The supported ciphers are
+.Dq 3des-cbc ,
+.Dq aes128-cbc ,
+.Dq aes192-cbc ,
+.Dq aes256-cbc ,
+.Dq aes128-ctr ,
+.Dq aes192-ctr ,
+.Dq aes256-ctr ,
+.Dq arcfour ,
+.Dq blowfish-cbc ,
+and
+.Dq cast128-cbc .
+The default is
+.Bd -literal
+  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+    aes192-cbc,aes256-cbc''
+.Ed
 .It Fl D Ar port
 Specifies a local
 .Dq dynamic
diff --git a/ssh_config.5 b/ssh_config.5
index 97fcdd80e..46d3012c8 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.34 2004/05/06 11:24:23 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.35 2004/06/13 14:01:42 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -185,6 +185,18 @@ The default is
 Specifies the ciphers allowed for protocol version 2
 in order of preference.
 Multiple ciphers must be comma-separated.
+The supported ciphers are
+.Dq 3des-cbc ,
+.Dq aes128-cbc ,
+.Dq aes192-cbc ,
+.Dq aes256-cbc ,
+.Dq aes128-ctr ,
+.Dq aes192-ctr ,
+.Dq aes256-ctr ,
+.Dq arcfour ,
+.Dq blowfish-cbc ,
+and
+.Dq cast128-cbc .
 The default is
 .Bd -literal
  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
diff --git a/sshd_config.5 b/sshd_config.5
index 8edaf030c..3a377ca74 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.34 2004/06/13 14:01:42 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -149,6 +149,18 @@ The default is
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
+The supported ciphers are
+.Dq 3des-cbc ,
+.Dq aes128-cbc ,
+.Dq aes192-cbc ,
+.Dq aes256-cbc ,
+.Dq aes128-ctr ,
+.Dq aes192-ctr ,
+.Dq aes256-ctr ,
+.Dq arcfour ,
+.Dq blowfish-cbc ,
+and
+.Dq cast128-cbc .
 The default is
 .Bd -literal
  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
author	Damien Miller <djm@mindrot.org>	2004-06-15 10:30:39 +1000
committer	Damien Miller <djm@mindrot.org>	2004-06-15 10:30:39 +1000
commit	05202ffe214115afa24bf6e7a6d8c8457e6759bb (patch)
tree	f3641217991b813f50e30515cd66ab87f4d7786d
parent	f675fc4948b2ec2c9ff86bcdd58e00947f0e319b (diff)

diff --git a/ChangeLog b/ChangeLog index 1d2563ba8..3edf2d19b 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -20,6 +20,10 @@
20	[ssh-keyscan.c sshconnect2.c sshd.c]	20	[ssh-keyscan.c sshconnect2.c sshd.c]
21	implement diffie-hellman-group14-sha1 kex method (trivial extension to	21	implement diffie-hellman-group14-sha1 kex method (trivial extension to
22	existing diffie-hellman-group1-sha1); ok markus@	22	existing diffie-hellman-group1-sha1); ok markus@
		23	- dtucker@cvs.openbsd.org 2004/06/13 14:01:42
		24	[ssh.1 ssh_config.5 sshd_config.5]
		25	List supported ciphers in man pages, tidy up ssh -c;
		26	"looks fine" jmc@, ok markus@
23		27
24	20040603	28	20040603
25	- (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions.	29	- (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions.
@@ -1204,4 +1208,4 @@
1204	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	1208	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
1205	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	1209	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
1206		1210
1207	$Id: ChangeLog,v 1.3380 2004/06/15 00:30:09 djm Exp $	1211	$Id: ChangeLog,v 1.3381 2004/06/15 00:30:39 djm Exp $


diff --git a/ssh.1 b/ssh.1 index 203e8f288..6cef0851d 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.188 2004/05/22 16:01:05 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.189 2004/06/13 14:01:42 dtucker Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -241,8 +241,8 @@ Additionally,
241	supports hostbased or challenge response authentication.	241	supports hostbased or challenge response authentication.
242	.Pp	242	.Pp
243	Protocol 2 provides additional mechanisms for confidentiality	243	Protocol 2 provides additional mechanisms for confidentiality
244	(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)	244	(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
245	and integrity (hmac-md5, hmac-sha1).	245	and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
246	Note that protocol 1 lacks a strong mechanism for ensuring the	246	Note that protocol 1 lacks a strong mechanism for ensuring the
247	integrity of the connection.	247	integrity of the connection.
248	.Ss Login session and remote execution	248	.Ss Login session and remote execution
@@ -449,13 +449,18 @@ The default value can be set on a host-by-host basis in the
449	configuration files; see the	449	configuration files; see the
450	.Cm Compression	450	.Cm Compression
451	option.	451	option.
452	.It Fl c Ar blowfish \| 3des \| des	452	.It Fl c Ar cipher_spec
453	Selects the cipher to use for encrypting the session.	453	Selects the cipher specification for encrypting the session.
454	.Ar 3des	454	.Pp
455	is used by default.	455	Protocol version 1 allows specification of a single cipher.
456	It is believed to be secure.	456	The suported values are
		457	.Dq 3des ,
		458	.Dq blowfish
		459	and
		460	.Dq des .
457	.Ar 3des	461	.Ar 3des
458	(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.	462	(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
		463	It is believed to be secure.
459	.Ar blowfish	464	.Ar blowfish
460	is a fast block cipher; it appears very secure and is much faster than	465	is a fast block cipher; it appears very secure and is much faster than
461	.Ar 3des .	466	.Ar 3des .
@@ -467,12 +472,30 @@ that do not support the
467	.Ar 3des	472	.Ar 3des
468	cipher.	473	cipher.
469	Its use is strongly discouraged due to cryptographic weaknesses.	474	Its use is strongly discouraged due to cryptographic weaknesses.
470	.It Fl c Ar cipher_spec	475	The default is
471	Additionally, for protocol version 2 a comma-separated list of ciphers can	476	.Dq 3des .
472	be specified in order of preference.	477	.Pp
473	See	478	For protocol version 2
474	.Cm Ciphers	479	.Ar cipher_spec
475	for more information.	480	is a comma-separated list of ciphers
		481	listed in order of preference.
		482	The supported ciphers are
		483	.Dq 3des-cbc ,
		484	.Dq aes128-cbc ,
		485	.Dq aes192-cbc ,
		486	.Dq aes256-cbc ,
		487	.Dq aes128-ctr ,
		488	.Dq aes192-ctr ,
		489	.Dq aes256-ctr ,
		490	.Dq arcfour ,
		491	.Dq blowfish-cbc ,
		492	and
		493	.Dq cast128-cbc .
		494	The default is
		495	.Bd -literal
		496	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
		497	aes192-cbc,aes256-cbc''
		498	.Ed
476	.It Fl D Ar port	499	.It Fl D Ar port
477	Specifies a local	500	Specifies a local
478	.Dq dynamic	501	.Dq dynamic


diff --git a/ssh_config.5 b/ssh_config.5 index 97fcdd80e..46d3012c8 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.34 2004/05/06 11:24:23 jmc Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.35 2004/06/13 14:01:42 dtucker Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -185,6 +185,18 @@ The default is
185	Specifies the ciphers allowed for protocol version 2	185	Specifies the ciphers allowed for protocol version 2
186	in order of preference.	186	in order of preference.
187	Multiple ciphers must be comma-separated.	187	Multiple ciphers must be comma-separated.
		188	The supported ciphers are
		189	.Dq 3des-cbc ,
		190	.Dq aes128-cbc ,
		191	.Dq aes192-cbc ,
		192	.Dq aes256-cbc ,
		193	.Dq aes128-ctr ,
		194	.Dq aes192-ctr ,
		195	.Dq aes256-ctr ,
		196	.Dq arcfour ,
		197	.Dq blowfish-cbc ,
		198	and
		199	.Dq cast128-cbc .
188	The default is	200	The default is
189	.Bd -literal	201	.Bd -literal
190	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,	202	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,


diff --git a/sshd_config.5 b/sshd_config.5 index 8edaf030c..3a377ca74 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.34 2004/06/13 14:01:42 dtucker Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
@@ -149,6 +149,18 @@ The default is
149	.It Cm Ciphers	149	.It Cm Ciphers
150	Specifies the ciphers allowed for protocol version 2.	150	Specifies the ciphers allowed for protocol version 2.
151	Multiple ciphers must be comma-separated.	151	Multiple ciphers must be comma-separated.
		152	The supported ciphers are
		153	.Dq 3des-cbc ,
		154	.Dq aes128-cbc ,
		155	.Dq aes192-cbc ,
		156	.Dq aes256-cbc ,
		157	.Dq aes128-ctr ,
		158	.Dq aes192-ctr ,
		159	.Dq aes256-ctr ,
		160	.Dq arcfour ,
		161	.Dq blowfish-cbc ,
		162	and
		163	.Dq cast128-cbc .
152	The default is	164	The default is
153	.Bd -literal	165	.Bd -literal
154	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,	166	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,