Reorder cipher and key preferences to make more sense #984

alex · 2017-06-06T20:22:28Z

No description provided.

ploxiln · 2017-06-06T20:29:21Z

paramiko/transport.py

        'ecdsa-sha2-nistp256',
        'ecdsa-sha2-nistp384',
        'ecdsa-sha2-nistp521',
-        'ssh-ed25519',


fine with me, but this order was chosen because it looks like openssh puts ecdsa first

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

What SSH are you using?

ubuntu-16.04 : OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016

OS X 10.11 : OpenSSH_6.9p1, LibreSSL 2.1.8

This doesn't match what I'm seeing with OpenSSH_7.4p1

heh, even newer openssh - fair enough

ploxiln · 2017-06-06T20:34:23Z

paramiko/transport.py

@@ -109,9 +109,9 @@ class Transport(threading.Thread, ClosingContextManager):
        'aes192-ctr',
        'aes256-ctr',
        'aes128-cbc',
-        'blowfish-cbc',


I guess this is another case like md5 - older openssh puts blowfish-cbc here, newer openssh omits it (but includes aes192-cbc, aes256-cbc, and 3des-cbc ... maybe blowfish should go last)

debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc

AES-192 and AES-256 are definitely preferable to blowfish. Blowfish vs 3des isn't something I care enough to think about.

bitprophet · 2017-06-09T20:58:06Z

Really gotta stop trying that bloody useless "change bases" feature...will cherry-pick to 2.0 in a sec.

bitprophet · 2017-06-09T21:02:14Z

OK, change made to 2.0 and up, re: blowfish. Then just merged into master to get the Ed25519 tweak. Changelogged the former, latter no point since Ed25519 is new in master.

Reorder cipher and key preferences to make more sense

b395444

ploxiln reviewed Jun 6, 2017

View reviewed changes

bitprophet modified the milestones: Next 1.x+2.x bugfix release, Next 2.x-only bugfix release Jun 8, 2017

bitprophet added Bug Low-hanging fruit labels Jun 8, 2017

bitprophet changed the base branch from master to 2.0 June 9, 2017 20:57

bitprophet changed the base branch from 2.0 to master June 9, 2017 20:57

bitprophet added a commit that referenced this pull request Jun 9, 2017

Hand-port #984 to 2.0

b808d5e

bitprophet merged commit b395444 into paramiko:master Jun 9, 2017

dkhapun pushed a commit to cyberx-labs/paramiko that referenced this pull request Jun 7, 2018

Hand-port paramiko#984 to 2.0

fdcb5b7

Reorder cipher and key preferences to make more sense #984

Reorder cipher and key preferences to make more sense #984

alex commented Jun 6, 2017

ploxiln Jun 6, 2017

alex Jun 6, 2017

ploxiln Jun 6, 2017

alex Jun 6, 2017

ploxiln Jun 6, 2017

ploxiln Jun 6, 2017

alex Jun 6, 2017

bitprophet commented Jun 9, 2017

bitprophet commented Jun 9, 2017

Reorder cipher and key preferences to make more sense #984

Reorder cipher and key preferences to make more sense #984

Conversation

alex commented Jun 6, 2017

ploxiln Jun 6, 2017

Choose a reason for hiding this comment

alex Jun 6, 2017

Choose a reason for hiding this comment

ploxiln Jun 6, 2017

Choose a reason for hiding this comment

alex Jun 6, 2017

Choose a reason for hiding this comment

ploxiln Jun 6, 2017

Choose a reason for hiding this comment

ploxiln Jun 6, 2017

Choose a reason for hiding this comment

alex Jun 6, 2017

Choose a reason for hiding this comment

bitprophet commented Jun 9, 2017

bitprophet commented Jun 9, 2017