Bug 1281705

Summary: Bad cipher 'blowfish'
Product: [Fedora] Fedora Reporter: Vratislav Podzimek <vpodzime>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: jjelen, mattias.ellert, mgrepl, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-23 09:08:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vratislav Podzimek 2015-11-13 08:06:50 UTC
Description of problem:
If I have the 'blowfish' cipher specified in my ~/.ssh/config file, I cannot ssh to any machine because ssh complains about it being a bad cipher (whatever that wording means).

Version-Release number of selected component (if applicable):
openssh-7.1p1-5.fc23.x86_64

How reproducible:
100%

Steps to Reproduce:
1. specify 'Cipher blowfish' for some of Host in ~/.ssh/config
2. try to ssh somewhere

Actual results:
line XY: Bad cipher 'blowfish'.

Expected results:
ssh login successful

Additional info:
'blowfish-cbc' works, but since people tend to use their ssh configs for years, I think ssh should do the change on its own internally and possibly just produce some warning.

Comment 1 Jakub Jelen 2015-12-11 14:24:59 UTC
Sorry for a late answer. I missed this bug somehow.

If you check the manual page for ssh_config(5), you will read:

> Cipher   Specifies the cipher to use for encrypting the session in protocol version 1.

This explains it. This option has nothing to do in current setups and has no effect for protocol SSHv2.


From my opinion, it should rather yell about unsupported option, since SSHv1 is gone in version 7+. This is only thing we can fix. Maintaining compatible options for many years obsolete protocol is not a good idea.

Comment 2 Vratislav Podzimek 2016-02-08 10:07:41 UTC
(In reply to Jakub Jelen from comment #1)
> Sorry for a late answer. I missed this bug somehow.
> 
> If you check the manual page for ssh_config(5), you will read:
> 
> > Cipher   Specifies the cipher to use for encrypting the session in protocol version 1.
> 
> This explains it. This option has nothing to do in current setups and has no
> effect for protocol SSHv2.
> 
> 
> From my opinion, it should rather yell about unsupported option, since SSHv1
> is gone in version 7+. This is only thing we can fix. Maintaining compatible
> options for many years obsolete protocol is not a good idea.

Fair enough, thanks for the explanation.