SEO

I was reading the source-changes mailing list the other day when I
noticed a commit to openssh about the arcfour cipher. That got me
curious, so I started looking at the RC4 algorithm in OpenSSL and how
OpenSSH uses it, and I couldn't find anything that said 256bit was the
largest key size that could be used. So, I wrote a little patch to add
in arcfour512 and arcfour1024 ciphers which, if I'm not mistaken about
RC4 key sizes, should allow 512bit and 1024bit RC4 encryption in
OpenSSH. I've been running with this patch for a couple days, both on
-current and backported to 4.0-stable, and it seems to be working just
fine. If I've completely misunderstood RC4 then please let me know,
otherwise I think this could be very useful. The following patch is
what I am using, and includes the minor updates to the man pages.

Index: cipher.c
================================================== =================
RCS file: /cvs/src/usr.bin/ssh/cipher.c,v
retrieving revision 1.81
diff -u -p -r1.81 cipher.c
--- cipher.c 3 Aug 2006 03:34:42 -0000 1.81
+++ cipher.c 8 Jun 2007 12:56:06 -0000
@@ -71,6 +71,8 @@ struct Cipher {
{ "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 },
{ "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 },
{ "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 },
+ { "arcfour512", SSH_CIPHER_SSH2, 8, 64, 1536, EVP_rc4 },
+ { "arcfour1024", SSH_CIPHER_SSH2, 8, 128, 1536, EVP_rc4 },
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
Index: myproposal.h
================================================== =================
RCS file: /cvs/src/usr.bin/ssh/myproposal.h,v
retrieving revision 1.22
diff -u -p -r1.22 myproposal.h
--- myproposal.h 7 Jun 2007 19:37:34 -0000 1.22
+++ myproposal.h 8 Jun 2007 12:56:06 -0000
@@ -31,7 +31,7 @@
#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
#define KEX_DEFAULT_ENCRYPT \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
- "arcfour128,arcfour256,arcfour," \
+ "arcfour128,arcfour256,arcfour512,arcfour1024,arcf our," \
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
"aes128-ctr,aes192-ctr,aes256-ctr"
#define KEX_DEFAULT_MAC \
Index: ssh.1
================================================== =================
RCS file: /cvs/src/usr.bin/ssh/ssh.1,v
retrieving revision 1.268
diff -u -p -r1.268 ssh.1
--- ssh.1 7 Jun 2007 19:37:34 -0000 1.268
+++ ssh.1 8 Jun 2007 12:56:06 -0000
@@ -201,6 +201,8 @@ aes192-ctr,
aes256-ctr,
arcfour128,
arcfour256,
+arcfour512,
+arcfour1024,
arcfour,
blowfish-cbc,
and
@@ -208,7 +210,7 @@ cast128-cbc.
The default is:
.Bd -literal -offset indent
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+arcfour256,arcfour512,arcfour1024,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr
.Ed
.It Fl D Xo
Index: ssh_config.5
================================================== =================
RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v
retrieving revision 1.101
diff -u -p -r1.101 ssh_config.5
--- ssh_config.5 8 Jun 2007 07:43:46 -0000 1.101
+++ ssh_config.5 8 Jun 2007 12:56:06 -0000
@@ -197,6 +197,8 @@ The supported ciphers are
.Dq aes256-ctr ,
.Dq arcfour128 ,
.Dq arcfour256 ,
+.Dq arcfour512 ,
+.Dq arcfour1024 ,
.Dq arcfour ,
.Dq blowfish-cbc ,
and
@@ -204,7 +206,7 @@ and
The default is:
.Bd -literal -offset 3n
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+arcfour256,arcfour512,arcfour1024,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr
.Ed
.It Cm ClearAllForwardings
Index: sshd_config.5
================================================== =================
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.77
diff -u -p -r1.77 sshd_config.5
--- sshd_config.5 8 Jun 2007 07:48:09 -0000 1.77
+++ sshd_config.5 8 Jun 2007 12:56:06 -0000
@@ -185,6 +185,8 @@ The supported ciphers are
.Dq aes256-ctr ,
.Dq arcfour128 ,
.Dq arcfour256 ,
+.Dq arcfour512 ,
+.Dq arcfour1024 ,
.Dq arcfour ,
.Dq blowfish-cbc ,
and
@@ -192,7 +194,7 @@ and
The default is:
.Bd -literal -offset 3n
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+arcfour256,arcfour512,arcfour1024,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr
.Ed
.It Cm ClientAliveCountMax