Sign in / up

back to article What's that? SSH can still use RC4? Not for much longer, promise

A hackathon next week will see 'net developers get to work consigning more insecure cryptography to the /dev/null of history. The Internet Engineering Task Force's 103rd meeting kicks off in Thailand with the customary hackathon starting on 3 November, and one of the agenda items is getting the RC4 cipher out of SSH (secure …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. seven of five
    IT Angle

    Is that a bipod under the G36?

    Slightly over the top, isn´t it? At least in combination with the tiny standard optics. (otoh, what do I know, I´m more an SVDS kind of person, so ymmv)

    0 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    Good for them but compliance will be another matter

    There are still places using SSH 1.x (http://www.openssh.com/usage/graphs.html).

    2 0 Reply
    1. Hans 1
      Reply Icon
      Facepalm

      Re: Good for them but compliance will be another matter

      The graphs end in 2008, ten years ago ...

      1 0 Reply
      1. Michael Wojcik Silver badge
        Reply Icon

        Re: Good for them but compliance will be another matter

        The graphs end in 2008

        That's even worse - there are still sites using 2008!

        2 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Not sure if this is a good idea

    There have to be some old devices out there that support ssh but would need RC4 since newer stuff is too computationally intense (plus you wouldn't be able to upgrade its firmware)

    Should leave them in, with some sort of a setting in the config file to enable insecure stuff on a per host basis...

    2 0 Reply
  4. Phil Endecott

    How old would something have to be to be using RC4?

    I.e. when did someting better become the default?

    2 0 Reply
    1. katrinab Silver badge
      Reply Icon

      RFC 4253, published in January 2006 has lots of alternatives to RC4, and says that RC4 is potentially weak and should be used with caution. There aren't any earlier RFCs, but ssh had been around for quite a while by that time.

      2 0 Reply
  5. -tim
    Meh

    There are lots of buried systems

    It isn't the public facing ones that are the real issue, it is all the stuff hidden away with automated scripts that will be a real pain to find and update.

    My toolbox includes a copy of the last openssh to support ssh protocol 1 with all the bad ciphers because sometimes it is needed.

    While the authors seems to treat ssh as a interactive utility, there is a massive amount of data that is slung around automatically with it. The scripts used tend not to be too robust with even simple things like server key types being updated.

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: There are lots of buried systems

      Yep, I've written scripts using scp that specified options for older encryption options because that's what the server had available. Might have even been RC4, this was back in 2009/2010.

      Hopefully those devices running older SSH versions have been upgraded by now, but if those scripts are still operational and the script server they are running on gets updated to a RHEL version with the latest SSH stuff is going to break and cause someone heartache...

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like