From owner-freebsd-security@freebsd.org Wed Nov 11 16:36:00 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DF44A2C3C1; Wed, 11 Nov 2015 16:36:00 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 52C8D15A5; Wed, 11 Nov 2015 16:36:00 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 4C4551F93; Wed, 11 Nov 2015 16:36:00 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id E168212011; Wed, 11 Nov 2015 16:35:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id PsDNPLK7wvIA; Wed, 11 Nov 2015 16:35:57 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 9B3381200C References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> Cc: "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <56436E63.6040602@FreeBSD.org> Date: Wed, 11 Nov 2015 08:35:47 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0NftXeGS1e7L1mSFECsQOT4qGKO5al7wb" X-Mailman-Approved-At: Wed, 11 Nov 2015 17:14:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:36:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0NftXeGS1e7L1mSFECsQOT4qGKO5al7wb Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/11/2015 7:49 AM, Daniel Kalchev wrote: > It is my understanding, that using the NONE cypher is not identical to = using =E2=80=9Cthe old tools=E2=80=9D (rsh/rlogin/rcp). >=20 > When ssh uses the NONE cypher, credentials and authorization are still = encrypted and verified. Only the actual data payload is not encrypted. >=20 > Perhaps similar level of security could be achieved by =E2=80=9Cthe old= tools=E2=80=9D if they were by default compiled with Kerberos. Although,= this still requires building additional infrastructure. >=20 > I must have missed the explanation. But why having a NONE cypher compil= ed in, but disabled in the configuration is a bad idea? My reasoning for wanting SSH/SCP with NONE is precisely because of the ssh key support. It simplifies a lot to be able to use the same key over a VPN and not over the VPN to connect to the same system. --=20 Regards, Bryan Drewery --0NftXeGS1e7L1mSFECsQOT4qGKO5al7wb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWQ25oAAoJEDXXcbtuRpfPdg8IALC3wjzLDfdF13s1E3/RHhOm WkfcX1LSeY3LaaODM3nJKh7eTBNzHNAGn0SHzF+2rvghFXNPKAuaFLrl1sIAlC2Y b/5HPnAay3Y4Iy7NPbtnRz7uKPzmNt5okN5Wa604UshiUWvh72HV6IbJtBHGSiJt J/gnhqac1NN4zhMaW4YQB6MsVZB9qgCHY4Q43RQId02aEJyy7LcULf/vSFSKjFxa P2xBJZ465nnUYsxY1dQ2ZKQMIQkxRwoxtJE6VOjU06EQT3JlhubKSMKuzjUjHlr8 rke47xBbuaiqHlncaMn5ITXRpOUZpYeXZao+1aNfsjHzxFaat0cY1W2M1dYWfQw= =FB2X -----END PGP SIGNATURE----- --0NftXeGS1e7L1mSFECsQOT4qGKO5al7wb--