stribika.github.io funky suckage with Mac OSX sshd/ssh

OSX (at least Yosemite) ships with: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 and it says it would support [email protected],[email protected] (Man pages and ssh -v output if you don't configure anything) But it does not :-1: If you add it to your .ssh/config you will get: Bad SSH2 cipher spec '[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr'.

But whats more worse is if you connect form a client that does support [email protected],[email protected] to an Mac OSX sshd it will just explode and the error message is not very telling.

Guess would be that OSSLShim 0.9.8r just does not support any gcm. But why apple didn't patch it to at least not announce and execpt gcm mode I don't know.

Might be worth to mention.

Jan 07 '15 11:01 h0lzi

I wrote an article on how to update ssh on OSX. It should help you for outgoing connections, I didn't test sshd, but it should also work. Maybe you need to re-link the bin's in /usr/bin. Please let me know what you find, so I can put it in the article. https://mochtu.de/2015/01/07/updating-openssh-on-mac-os-x-10-10-yosemite/

Jan 07 '15 13:01 mochtu

yeah I know how to do that. Just thought I would mention it. So maybe it's worth to add it to the articel

Jan 07 '15 13:01 h0lzi

Actually GCM is no good because for some reason SSH doesn't encrypt the message size field when using GCM. Nothing wrong with GCM in general as far as I know. It's an SSH thing. I don't have OSX and I don't like recommending stuff I didn't try. I can add your link though.

Jan 07 '15 18:01 stribika

The old OpenSSH also complains about [email protected] at my system – so I recommend the update and also to stay up to date (in contrast of Apple's believes). If you find it useful, add the link, sure.

Jan 07 '15 18:01 mochtu

https://mochtu.de/2015/01/07/updating-openssh-on-mac-os-x-10-10-yosemite/ works for 10.8.5 too! :)

Jan 07 '15 23:01 nickdesaulniers

Confirmed openssh5.9 on ElementaryOS doesn't support ed25519, as well as openssh6.2 on my Macbook running Mavericks. Linux Mint 17.1 has openssh6.6 and supports ed25519.

Jan 09 '15 18:01 ftolead

I put OpenSSH_6.7p1, OpenSSL 0.9.8za 5 Jun 2014 on my Mac and tried the Ciphers line from your post, still getting a Bad SSH2 cipher spec message

Jan 12 '15 16:01 kevinburke

Can you post ssh -v output?

Jan 12 '15 16:01 stribika-rdonly

Yosemite's default OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 works with this line: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Yosemite with Homebrew OpenSSH_6.7p1, OpenSSL 1.0.1l 15 Jan 2015 supports the full list: Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

Jan 17 '15 16:01 vszakats

OpenSSH_6.7p1, OpenSSL 0.9.8za 5 Jun 2014
debug1: Reading configuration data /Users/kevin/.ssh/config
debug1: /Users/kevin/.ssh/config line 15: Applying options for *
/Users/kevin/.ssh/config line 16: Bad SSH2 cipher spec '[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr'

Jan 18 '15 03:01 kevinburke

@kevinburke Maybe you missed to brew install openssl before openssh?

Jan 18 '15 09:01 vszakats

@kevinburke Something might be wrong / out-of-date with your brew environment because the current dupes ssh formula requires linking against brewed OpenSSL (see brew info homebrew/dupes/openssh after tapping dupes by running install and aborting the build) The linked OpenSSL there is the system one.

10.10.1 system versions

/usr/bin/ssh -V: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
/usr/bin/openssl version: OpenSSL 0.9.8za 5 Jun 2014

brew versions

/usr/local/bin/ssh -V: OpenSSH_6.7p1, OpenSSL 1.0.1l 15 Jan 2015
/usr/local/opt/openssl/bin/openssl version: OpenSSL 1.0.1l 15 Jan 2015

This might help brew uninstall --force openssl openssh; brew doctor && brew update && brew install homebrew/dupes/openssh

Jan 21 '15 02:01 skull-squadron