Ichnafi
May 25, 2018Cirrostratus
Why only two supported ciphers in ssh_config
Hello everyone,
I recently tried to copy a file via scp from a BIG-IP and failed by "not matching ciphers". I had a look into it and stumbled upon the fact, that by default only aes128-cbc and aes256-cbc are the supported ciphers by the BIG-IP's SSH-client.
[Snippet from /config/ssh/ssh_config (Vers. 12.1 and 13):]
(...)
Ciphers aes128-cbc,aes256-cbc
(...)
I'm wondering, why is the BIG-IPs SSH-client configured like that? From my understanding, CBC ciphers are considered as weak and therefore are disabled by default, for example in standard Debian ssh server. The Big-IP's SSH-server supports a wide variety of ciphers.
I added those ciphers to my ssh-servers and now everything works, but I'm still some kind of confused by that decision.
Cheers Ichnafi