From owner-freebsd-security  Fri Nov 24 15:32: 8 2000
Delivered-To: freebsd-security@freebsd.org
Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0450837B4C5; Fri, 24 Nov 2000 15:32:04 -0800 (PST)
Received: (from kris@localhost)
	by citusc17.usc.edu (8.11.1/8.11.1) id eAONX7q71755;
	Fri, 24 Nov 2000 15:33:07 -0800 (PST)
	(envelope-from kris)
Date: Fri, 24 Nov 2000 15:33:07 -0800
From: Kris Kennaway <kris@FreeBSD.org>
To: "Brian F. Feldman" <green@FreeBSD.org>
Cc: security@FreeBSD.org
Subject: Re: OpenSSH 2.3.0 pre-upgrade
Message-ID: <20001124153307.A71713@citusc17.usc.edu>
References: <200011242328.eAONSJ560421@green.dyndns.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200011242328.eAONSJ560421@green.dyndns.org>; from green@FreeBSD.org on Fri, Nov 24, 2000 at 06:28:19PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Nov 24, 2000 at 06:28:19PM -0500, Brian F. Feldman wrote:

> What's new in this release?  Mostly the adding of the AES (Rijndael) to t=
he=20
> SSH2 algorithms.  Is anything now broken?  Well, nothing new broken that =
I=20

Doesn't that rely on AES support in OpenSSL?

> There's some weird issue where for the Diffie-Hellman exchange, OpenSSH=
=20
> wants primes but doesn't seem to want to generate them... it expects an
> /etc/ssh/primes (which should become /var/run/ssh_primes, if anything) an=
d I=20
> have no clue where the program is that supposedly generates them.  So, fo=
r=20
> SSH2, the authentication stage generates a large warning and uses a=20
> hardcoded prime.  This should not actually have an affect on security,=20
> though, according to my understanding of the Diffie-Hellman protocol.

They're static - OpenBSD just committed the file with some good primes
generated from OpenSSL, presumably.

Kris
--9amGYk9869ThD9tj
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjoe+rMACgkQWry0BWjoQKUc/gCghafS9pr8E5Bee+oFJ0nUOuz5
ErEAnROdPkl5v/gO6a3N0iSV7sjnnou/
=Oa5X
-----END PGP SIGNATURE-----

--9amGYk9869ThD9tj--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message