Thursday, July 30, 2009

SSH with aes256ctr support not working on some S10 systems

I've been getting emails today about SSH aes256ctr being broken on some Solaris 10 machines.

This goes back to my work earlier to get strong crypto included by default on all Solaris 10 systems. This started in Solaris 10 Update 4, and I guess I figured everyone would read my blog, jump for joy and upgrade their systems. ;-)

It seems some of you haven't and are now seeing errors like:

sshd[8975]: [ID 800047 auth.crit] fatal: matching cipher is not supported: aes256-ctr

Which is a direct result of Sun's SSH now taking advantage of the presumed availability of strong crypto on the systems. This works fantastically well on newer Solaris 10 systems.

This issue is now covered by a bug, and you can see one workaround there.

Let's assume you *do* want strong crypto, though, and you want to stay on an older release of Solaris 10. In which case, you need to install SUNWcry and SUNWcryr onto these older Solaris 10 systems and reapply all cryptographic framework patches. The packages are available as part of the Solaris 10 Encryption Kit. You need to reapply the patches, because when you installed them before SUNWcry & SUNWcryr were not on the system, so would've missed all the patching goodness for their bits. It's important that you do this, or you will end up with mismatched bits for the cryptographic framework, which will have undefined (ie probably not good) results.