diff options
Diffstat (limited to 'usr/src/cmd/ssh/include/myproposal.h')
| -rw-r--r-- | usr/src/cmd/ssh/include/myproposal.h | 55 |
1 files changed, 44 insertions, 11 deletions
diff --git a/usr/src/cmd/ssh/include/myproposal.h b/usr/src/cmd/ssh/include/myproposal.h index e567cf5db7..b6182867d2 100644 --- a/usr/src/cmd/ssh/include/myproposal.h +++ b/usr/src/cmd/ssh/include/myproposal.h @@ -23,7 +23,7 @@ */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -37,24 +37,57 @@ extern "C" { #endif -#define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1," \ - "diffie-hellman-group1-sha1" +#define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1," \ + "diffie-hellman-group1-sha1" -#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" +#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" -#define KEX_DEFAULT_ENCRYPT "aes128-ctr,arcfour,aes192-ctr,aes256-ctr" +/* + * Keep CBC modes in the back of the client default cipher list for backward + * compatibility but remove them from the server side because there are some + * potential security issues with those modes regarding SSH protocol version 2. + * Since the client is the one who picks the cipher from the list offered by the + * server the only way to force the client not to use CBC modes is not to + * advertise those at all. Note that we still support all such CBC modes in the + * server code, this is about the default server cipher list only. The list can + * be changed in the Ciphers option in the sshd_config(4) file. + * + * Note that the ordering of ciphers on the server side is not relevant but we + * must do it properly even here so that we can use the macro for the client + * list as well. + */ +#define KEX_DEFAULT_SERVER_ENCRYPT "aes128-ctr,aes192-ctr,aes256-ctr," \ + "arcfour" + +#define KEX_DEFAULT_CLIENT_ENCRYPT KEX_DEFAULT_SERVER_ENCRYPT \ + ",aes128-cbc,aes192-cbc,aes256-cbc," \ + "blowfish-cbc,3des-cbc" -#define KEX_DEFAULT_MAC "hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96" +#define KEX_DEFAULT_MAC "hmac-md5,hmac-sha1,hmac-sha1-96," \ + "hmac-md5-96" -#define KEX_DEFAULT_COMP "none,zlib" -#define KEX_DEFAULT_LANG "" +#define KEX_DEFAULT_COMP "none,zlib" +#define KEX_DEFAULT_LANG "" -static char *myproposal[PROPOSAL_MAX] = { +static char *my_srv_proposal[PROPOSAL_MAX] = { + KEX_DEFAULT_KEX, + KEX_DEFAULT_PK_ALG, + KEX_DEFAULT_SERVER_ENCRYPT, + KEX_DEFAULT_SERVER_ENCRYPT, + KEX_DEFAULT_MAC, + KEX_DEFAULT_MAC, + KEX_DEFAULT_COMP, + KEX_DEFAULT_COMP, + KEX_DEFAULT_LANG, + KEX_DEFAULT_LANG +}; + +static char *my_clnt_proposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, KEX_DEFAULT_PK_ALG, - KEX_DEFAULT_ENCRYPT, - KEX_DEFAULT_ENCRYPT, + KEX_DEFAULT_CLIENT_ENCRYPT, + KEX_DEFAULT_CLIENT_ENCRYPT, KEX_DEFAULT_MAC, KEX_DEFAULT_MAC, KEX_DEFAULT_COMP, |