From owner-freebsd-security@FreeBSD.ORG Tue Jul 30 12:38:22 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 4E484E61 for ; Tue, 30 Jul 2013 12:38:22 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1A2C22E93 for ; Tue, 30 Jul 2013 12:38:22 +0000 (UTC) Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.5/8.14.5) with ESMTP id r6UCcIt7028152; Tue, 30 Jul 2013 08:38:19 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <51F7B3AD.1060703@sentex.net> Date: Tue, 30 Jul 2013 08:38:05 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Garrett Wollman Subject: Re: fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] References: <20983.43801.355884.938326@hergotha.csail.mit.edu> In-Reply-To: <20983.43801.355884.938326@hergotha.csail.mit.edu> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 12:38:22 -0000 On 7/30/2013 8:01 AM, Garrett Wollman wrote: > Am I the only person to be seeing this log message from sshd: > > fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] > nice not to have my logs spammed with this. Currently running > openssh-portable-6.2.p2_3,1, and I think it started with upgrade to > 6.2. There is an open PR which can be closed now at http://www.freebsd.org/cgi/query-pr.cgi?pr=171809 which points to http://lists.freebsd.org/pipermail/svn-src-head/2013-May/047921.html Change the default in /etc/ssh/sshd_config to UsePrivilegeSeparation yes as it sounds like you have hardware crypto on the box and you are using UsePrivilegeSeparation sandbox which is broken ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/