The import of the latest version of OpenSSH into RELENG_10 drops ciphers such as aes128-cbc from the server. I had a few lightweight clients using aes128-cbc (e.g alix boxes) to make use of the hardware crypto that broke as a result. e.g. from a client going to a host that has r295367 applied. ssh -c aes128-cbc user@target.sentex.ca no matching cipher found: client aes128-cbc server chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com and running sshd -ddd debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 [preauth] debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth] debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth] debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] debug2: kex_parse_kexinit: ssh-dss,ssh-rsa [preauth] debug2: kex_parse_kexinit: aes128-cbc [preauth] debug2: kex_parse_kexinit: aes128-cbc [preauth] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] Unable to negotiate with xx.yy.zz.146: no matching cipher found. Their offer: aes128-cbc [preauth] debug1: do_cleanup [preauth]
Created attachment 167706 [details] Re-add the AES-CBC ciphers to the default server proposal list The ciphers weren't actually dropped, just removed from the default proposal list. The attached patch re-adds a few of them at the bottom of the proposal list. Note that there are known weaknesses in the ssh protocol when using AES-CBC, but no known practical exploits (yet).
A commit references this bug: Author: des Date: Fri Mar 11 00:23:11 UTC 2016 New revision: 296634 URL: https://svnweb.freebsd.org/changeset/base/296634 Log: Re-add AES-CBC ciphers to the default cipher list on the server. PR: 207679 Changes: head/crypto/openssh/FREEBSD-upgrade head/crypto/openssh/myproposal.h head/crypto/openssh/sshd_config.5
A commit references this bug: Author: des Date: Sat Mar 12 23:53:20 UTC 2016 New revision: 296781 URL: https://svnweb.freebsd.org/changeset/base/296781 Log: MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug) MFH (r296634): re-add aes-cbc to server-side default cipher list MFH (r296651, r296657): fix gcc build of pam_ssh PR: 207679 Security: CVE-2016-3115 Changes: _U stable/10/ stable/10/crypto/openssh/ChangeLog stable/10/crypto/openssh/FREEBSD-upgrade stable/10/crypto/openssh/Makefile.in stable/10/crypto/openssh/README stable/10/crypto/openssh/README.platform stable/10/crypto/openssh/auth-bsdauth.c stable/10/crypto/openssh/auth-krb5.c stable/10/crypto/openssh/auth-options.c stable/10/crypto/openssh/auth-pam.c stable/10/crypto/openssh/auth.h stable/10/crypto/openssh/auth2-pubkey.c stable/10/crypto/openssh/authfd.c stable/10/crypto/openssh/authfd.h stable/10/crypto/openssh/authfile.c stable/10/crypto/openssh/channels.c stable/10/crypto/openssh/cipher.c stable/10/crypto/openssh/clientloop.c stable/10/crypto/openssh/clientloop.h stable/10/crypto/openssh/config.h stable/10/crypto/openssh/configure.ac stable/10/crypto/openssh/contrib/redhat/openssh.spec stable/10/crypto/openssh/contrib/ssh-copy-id stable/10/crypto/openssh/contrib/ssh-copy-id.1 stable/10/crypto/openssh/contrib/suse/openssh.spec stable/10/crypto/openssh/defines.h stable/10/crypto/openssh/dh.h stable/10/crypto/openssh/includes.h stable/10/crypto/openssh/kex.c stable/10/crypto/openssh/kex.h stable/10/crypto/openssh/kexc25519s.c stable/10/crypto/openssh/kexdhs.c stable/10/crypto/openssh/kexecdhs.c stable/10/crypto/openssh/kexgexs.c stable/10/crypto/openssh/key.c stable/10/crypto/openssh/key.h stable/10/crypto/openssh/krl.c stable/10/crypto/openssh/krl.h stable/10/crypto/openssh/loginrec.c stable/10/crypto/openssh/misc.c stable/10/crypto/openssh/monitor.c stable/10/crypto/openssh/monitor_wrap.c stable/10/crypto/openssh/monitor_wrap.h stable/10/crypto/openssh/mux.c stable/10/crypto/openssh/myproposal.h stable/10/crypto/openssh/opacket.c stable/10/crypto/openssh/opacket.h stable/10/crypto/openssh/openbsd-compat/bsd-misc.c stable/10/crypto/openssh/openbsd-compat/bsd-misc.h stable/10/crypto/openssh/openbsd-compat/bsd-poll.h stable/10/crypto/openssh/openbsd-compat/glob.c stable/10/crypto/openssh/openbsd-compat/glob.h stable/10/crypto/openssh/openbsd-compat/openbsd-compat.h stable/10/crypto/openssh/openbsd-compat/port-solaris.c stable/10/crypto/openssh/openbsd-compat/port-solaris.h stable/10/crypto/openssh/openbsd-compat/realpath.c stable/10/crypto/openssh/packet.c stable/10/crypto/openssh/packet.h stable/10/crypto/openssh/platform-pledge.c stable/10/crypto/openssh/platform.h stable/10/crypto/openssh/readconf.c stable/10/crypto/openssh/readconf.h stable/10/crypto/openssh/readpass.c stable/10/crypto/openssh/regress/Makefile stable/10/crypto/openssh/regress/agent-ptrace.sh stable/10/crypto/openssh/regress/cert-file.sh stable/10/crypto/openssh/regress/check-perm.c stable/10/crypto/openssh/regress/dhgex.sh stable/10/crypto/openssh/regress/hostkey-rotate.sh stable/10/crypto/openssh/regress/keys-command.sh stable/10/crypto/openssh/regress/keyscan.sh stable/10/crypto/openssh/regress/limit-keytype.sh stable/10/crypto/openssh/regress/principals-command.sh stable/10/crypto/openssh/regress/proxy-connect.sh stable/10/crypto/openssh/regress/rekey.sh stable/10/crypto/openssh/regress/setuid-allowed.c stable/10/crypto/openssh/regress/sftp-chroot.sh stable/10/crypto/openssh/regress/unittests/sshkey/test_file.c stable/10/crypto/openssh/regress/unittests/sshkey/test_fuzz.c stable/10/crypto/openssh/regress/unittests/sshkey/test_sshkey.c stable/10/crypto/openssh/roaming.h stable/10/crypto/openssh/roaming_client.c stable/10/crypto/openssh/roaming_common.c stable/10/crypto/openssh/roaming_dummy.c stable/10/crypto/openssh/roaming_serv.c stable/10/crypto/openssh/sandbox-pledge.c stable/10/crypto/openssh/sandbox-seccomp-filter.c stable/10/crypto/openssh/sandbox-solaris.c stable/10/crypto/openssh/sandbox-systrace.c stable/10/crypto/openssh/scp.1 stable/10/crypto/openssh/scp.c stable/10/crypto/openssh/servconf.c stable/10/crypto/openssh/serverloop.c stable/10/crypto/openssh/session.c stable/10/crypto/openssh/sftp-client.c stable/10/crypto/openssh/sftp-client.h stable/10/crypto/openssh/sftp-server-main.c stable/10/crypto/openssh/sftp-server.c stable/10/crypto/openssh/sftp.1 stable/10/crypto/openssh/sftp.c stable/10/crypto/openssh/ssh-add.c stable/10/crypto/openssh/ssh-agent.1 stable/10/crypto/openssh/ssh-agent.c stable/10/crypto/openssh/ssh-dss.c stable/10/crypto/openssh/ssh-ecdsa.c stable/10/crypto/openssh/ssh-keygen.1 stable/10/crypto/openssh/ssh-keygen.c stable/10/crypto/openssh/ssh-keyscan.1 stable/10/crypto/openssh/ssh-keyscan.c stable/10/crypto/openssh/ssh-keysign.8 stable/10/crypto/openssh/ssh-keysign.c stable/10/crypto/openssh/ssh-pkcs11-client.c stable/10/crypto/openssh/ssh-pkcs11-helper.c stable/10/crypto/openssh/ssh-pkcs11.c stable/10/crypto/openssh/ssh-rsa.c stable/10/crypto/openssh/ssh.1 stable/10/crypto/openssh/ssh.c stable/10/crypto/openssh/ssh.h stable/10/crypto/openssh/ssh2.h stable/10/crypto/openssh/ssh_api.c stable/10/crypto/openssh/ssh_config stable/10/crypto/openssh/ssh_config.5 stable/10/crypto/openssh/ssh_namespace.h stable/10/crypto/openssh/sshbuf-getput-basic.c stable/10/crypto/openssh/sshbuf.c stable/10/crypto/openssh/sshbuf.h stable/10/crypto/openssh/sshconnect.c stable/10/crypto/openssh/sshconnect.h stable/10/crypto/openssh/sshconnect1.c stable/10/crypto/openssh/sshconnect2.c stable/10/crypto/openssh/sshd.8 stable/10/crypto/openssh/sshd.c stable/10/crypto/openssh/sshd_config stable/10/crypto/openssh/sshd_config.5 stable/10/crypto/openssh/ssherr.c stable/10/crypto/openssh/sshkey.c stable/10/crypto/openssh/sshkey.h stable/10/crypto/openssh/sshlogin.c stable/10/crypto/openssh/uidswap.c stable/10/crypto/openssh/version.h stable/10/crypto/openssh/xmalloc.c stable/10/crypto/openssh/xmalloc.h stable/10/lib/libpam/modules/pam_ssh/Makefile stable/10/lib/libpam/modules/pam_ssh/pam_ssh.c stable/10/secure/lib/libssh/Makefile stable/10/secure/libexec/sftp-server/Makefile stable/10/secure/libexec/ssh-keysign/Makefile stable/10/secure/libexec/ssh-pkcs11-helper/Makefile stable/10/secure/usr.bin/scp/Makefile stable/10/secure/usr.bin/sftp/Makefile stable/10/secure/usr.bin/ssh/Makefile stable/10/secure/usr.bin/ssh-add/Makefile stable/10/secure/usr.bin/ssh-agent/Makefile stable/10/secure/usr.bin/ssh-keygen/Makefile stable/10/secure/usr.bin/ssh-keyscan/Makefile stable/10/secure/usr.sbin/sshd/Makefile
A commit references this bug: Author: des Date: Mon Mar 14 13:05:13 UTC 2016 New revision: 296853 URL: https://svnweb.freebsd.org/changeset/base/296853 Log: MFS (r296781): MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug) MFH (r296634): re-add aes-cbc to server-side default cipher list MFH (r296651, r296657): fix gcc build of pam_ssh PR: 207679 Security: CVE-2016-3115 Approved by: re (marius) Changes: _U releng/10.3/ releng/10.3/crypto/openssh/ChangeLog releng/10.3/crypto/openssh/FREEBSD-upgrade releng/10.3/crypto/openssh/Makefile.in releng/10.3/crypto/openssh/README releng/10.3/crypto/openssh/README.platform releng/10.3/crypto/openssh/auth-bsdauth.c releng/10.3/crypto/openssh/auth-krb5.c releng/10.3/crypto/openssh/auth-options.c releng/10.3/crypto/openssh/auth-pam.c releng/10.3/crypto/openssh/auth.h releng/10.3/crypto/openssh/auth2-pubkey.c releng/10.3/crypto/openssh/authfd.c releng/10.3/crypto/openssh/authfd.h releng/10.3/crypto/openssh/authfile.c releng/10.3/crypto/openssh/channels.c releng/10.3/crypto/openssh/cipher.c releng/10.3/crypto/openssh/clientloop.c releng/10.3/crypto/openssh/clientloop.h releng/10.3/crypto/openssh/config.h releng/10.3/crypto/openssh/configure.ac releng/10.3/crypto/openssh/contrib/redhat/openssh.spec releng/10.3/crypto/openssh/contrib/ssh-copy-id releng/10.3/crypto/openssh/contrib/ssh-copy-id.1 releng/10.3/crypto/openssh/contrib/suse/openssh.spec releng/10.3/crypto/openssh/defines.h releng/10.3/crypto/openssh/dh.h releng/10.3/crypto/openssh/includes.h releng/10.3/crypto/openssh/kex.c releng/10.3/crypto/openssh/kex.h releng/10.3/crypto/openssh/kexc25519s.c releng/10.3/crypto/openssh/kexdhs.c releng/10.3/crypto/openssh/kexecdhs.c releng/10.3/crypto/openssh/kexgexs.c releng/10.3/crypto/openssh/key.c releng/10.3/crypto/openssh/key.h releng/10.3/crypto/openssh/krl.c releng/10.3/crypto/openssh/krl.h releng/10.3/crypto/openssh/loginrec.c releng/10.3/crypto/openssh/misc.c releng/10.3/crypto/openssh/monitor.c releng/10.3/crypto/openssh/monitor_wrap.c releng/10.3/crypto/openssh/monitor_wrap.h releng/10.3/crypto/openssh/mux.c releng/10.3/crypto/openssh/myproposal.h releng/10.3/crypto/openssh/opacket.c releng/10.3/crypto/openssh/opacket.h releng/10.3/crypto/openssh/openbsd-compat/bsd-misc.c releng/10.3/crypto/openssh/openbsd-compat/bsd-misc.h releng/10.3/crypto/openssh/openbsd-compat/bsd-poll.h releng/10.3/crypto/openssh/openbsd-compat/glob.c releng/10.3/crypto/openssh/openbsd-compat/glob.h releng/10.3/crypto/openssh/openbsd-compat/openbsd-compat.h releng/10.3/crypto/openssh/openbsd-compat/port-solaris.c releng/10.3/crypto/openssh/openbsd-compat/port-solaris.h releng/10.3/crypto/openssh/openbsd-compat/realpath.c releng/10.3/crypto/openssh/packet.c releng/10.3/crypto/openssh/packet.h releng/10.3/crypto/openssh/platform-pledge.c releng/10.3/crypto/openssh/platform.h releng/10.3/crypto/openssh/readconf.c releng/10.3/crypto/openssh/readconf.h releng/10.3/crypto/openssh/readpass.c releng/10.3/crypto/openssh/regress/Makefile releng/10.3/crypto/openssh/regress/agent-ptrace.sh releng/10.3/crypto/openssh/regress/cert-file.sh releng/10.3/crypto/openssh/regress/check-perm.c releng/10.3/crypto/openssh/regress/dhgex.sh releng/10.3/crypto/openssh/regress/hostkey-rotate.sh releng/10.3/crypto/openssh/regress/keys-command.sh releng/10.3/crypto/openssh/regress/keyscan.sh releng/10.3/crypto/openssh/regress/limit-keytype.sh releng/10.3/crypto/openssh/regress/principals-command.sh releng/10.3/crypto/openssh/regress/proxy-connect.sh releng/10.3/crypto/openssh/regress/rekey.sh releng/10.3/crypto/openssh/regress/setuid-allowed.c releng/10.3/crypto/openssh/regress/sftp-chroot.sh releng/10.3/crypto/openssh/regress/unittests/sshkey/test_file.c releng/10.3/crypto/openssh/regress/unittests/sshkey/test_fuzz.c releng/10.3/crypto/openssh/regress/unittests/sshkey/test_sshkey.c releng/10.3/crypto/openssh/roaming.h releng/10.3/crypto/openssh/roaming_client.c releng/10.3/crypto/openssh/roaming_common.c releng/10.3/crypto/openssh/roaming_dummy.c releng/10.3/crypto/openssh/roaming_serv.c releng/10.3/crypto/openssh/sandbox-pledge.c releng/10.3/crypto/openssh/sandbox-seccomp-filter.c releng/10.3/crypto/openssh/sandbox-solaris.c releng/10.3/crypto/openssh/sandbox-systrace.c releng/10.3/crypto/openssh/scp.1 releng/10.3/crypto/openssh/scp.c releng/10.3/crypto/openssh/servconf.c releng/10.3/crypto/openssh/serverloop.c releng/10.3/crypto/openssh/session.c releng/10.3/crypto/openssh/sftp-client.c releng/10.3/crypto/openssh/sftp-client.h releng/10.3/crypto/openssh/sftp-server-main.c releng/10.3/crypto/openssh/sftp-server.c releng/10.3/crypto/openssh/sftp.1 releng/10.3/crypto/openssh/sftp.c releng/10.3/crypto/openssh/ssh-add.c releng/10.3/crypto/openssh/ssh-agent.1 releng/10.3/crypto/openssh/ssh-agent.c releng/10.3/crypto/openssh/ssh-dss.c releng/10.3/crypto/openssh/ssh-ecdsa.c releng/10.3/crypto/openssh/ssh-keygen.1 releng/10.3/crypto/openssh/ssh-keygen.c releng/10.3/crypto/openssh/ssh-keyscan.1 releng/10.3/crypto/openssh/ssh-keyscan.c releng/10.3/crypto/openssh/ssh-keysign.8 releng/10.3/crypto/openssh/ssh-keysign.c releng/10.3/crypto/openssh/ssh-pkcs11-client.c releng/10.3/crypto/openssh/ssh-pkcs11-helper.c releng/10.3/crypto/openssh/ssh-pkcs11.c releng/10.3/crypto/openssh/ssh-rsa.c releng/10.3/crypto/openssh/ssh.1 releng/10.3/crypto/openssh/ssh.c releng/10.3/crypto/openssh/ssh.h releng/10.3/crypto/openssh/ssh2.h releng/10.3/crypto/openssh/ssh_api.c releng/10.3/crypto/openssh/ssh_config releng/10.3/crypto/openssh/ssh_config.5 releng/10.3/crypto/openssh/ssh_namespace.h releng/10.3/crypto/openssh/sshbuf-getput-basic.c releng/10.3/crypto/openssh/sshbuf.c releng/10.3/crypto/openssh/sshbuf.h releng/10.3/crypto/openssh/sshconnect.c releng/10.3/crypto/openssh/sshconnect.h releng/10.3/crypto/openssh/sshconnect1.c releng/10.3/crypto/openssh/sshconnect2.c releng/10.3/crypto/openssh/sshd.8 releng/10.3/crypto/openssh/sshd.c releng/10.3/crypto/openssh/sshd_config releng/10.3/crypto/openssh/sshd_config.5 releng/10.3/crypto/openssh/ssherr.c releng/10.3/crypto/openssh/sshkey.c releng/10.3/crypto/openssh/sshkey.h releng/10.3/crypto/openssh/sshlogin.c releng/10.3/crypto/openssh/uidswap.c releng/10.3/crypto/openssh/version.h releng/10.3/crypto/openssh/xmalloc.c releng/10.3/crypto/openssh/xmalloc.h releng/10.3/lib/libpam/modules/pam_ssh/Makefile releng/10.3/lib/libpam/modules/pam_ssh/pam_ssh.c releng/10.3/secure/lib/libssh/Makefile releng/10.3/secure/libexec/sftp-server/Makefile releng/10.3/secure/libexec/ssh-keysign/Makefile releng/10.3/secure/libexec/ssh-pkcs11-helper/Makefile releng/10.3/secure/usr.bin/scp/Makefile releng/10.3/secure/usr.bin/sftp/Makefile releng/10.3/secure/usr.bin/ssh/Makefile releng/10.3/secure/usr.bin/ssh-add/Makefile releng/10.3/secure/usr.bin/ssh-agent/Makefile releng/10.3/secure/usr.bin/ssh-keygen/Makefile releng/10.3/secure/usr.bin/ssh-keyscan/Makefile releng/10.3/secure/usr.sbin/sshd/Makefile