OpenSolaris

a fix for 6761890 removed CBC modes from the default client and server cipher lists. Unfortunately we overlooked that S9 FCS was shipped with an explicit cipher list set in sshd_config to "aes128-cbc,blowfish-cbc,3des-cbc" which makes updated clients unable to connect to them unless their (= clients') configuration is changed.

what's more, we should reward users for upgrading their machines which wasn't the case here since the set of servers they could connect to by default after they upgraded to snv_105 decreased. That could make problems to many existing scripts and cron jobs connecting to some servers. The list of suggested changes is:

- keep CBC modes in the default client list but put them in the back of the list

- do keep the server list without CBC modes. Those modes are not considered 100% secure with SSH protocol version 2 any more and omitting them from the default server list will result in the client choosing another mode (note that the client is the one who picks the mode from the list of modes offered by the server).

- in case that the client does not support AES CTR modes or arcfour at all we suggest either to change or upgrade the client or change the server's configuration. Since the server can't force the client to use a more secure CTR mode or arcfour even when the client supports them we do confirm removal of CBC modes from the server's default list.

- add a better message when there is no match in the client's and the server's cipher mode sets.

- let the server check that old original setting for Ciphers in the sshd_config file (it survives the upgrades from S9 to S10 and Nevada) and issue a note to the syslogd, suggesting the admin to consider to remove it, thus making it to use the defaults.

N/A

N/A