From owner-freebsd-current@FreeBSD.ORG Sat Oct 18 02:43:51 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C5EC32D2 for ; Sat, 18 Oct 2014 02:43:51 +0000 (UTC) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 50429B3 for ; Sat, 18 Oct 2014 02:43:50 +0000 (UTC) X-AuditID: 1209190c-f795e6d000006c66-cd-5441d3dff4dc Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 09.01.27750.FD3D1445; Fri, 17 Oct 2014 22:43:43 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s9I2hg2Z005306; Fri, 17 Oct 2014 22:43:42 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s9I2heD7004075 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 17 Oct 2014 22:43:42 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s9I2heY4008525; Fri, 17 Oct 2014 22:43:40 -0400 (EDT) Date: Fri, 17 Oct 2014 22:43:39 -0400 (EDT) From: Benjamin Kaduk To: Ben Woods Subject: Re: ssh None cipher In-Reply-To: Message-ID: References: User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHIsWRmVeSWpSXmKPExsUixG6nonv/smOIwbTD/BZz3nxgspj6/iOr A5PHjE/zWTx2zrrLHsAUxWWTkpqTWZZapG+XwJWxbst8toJPrBW3jjxibmC8wtLFyMEhIWAi 8fB5ZRcjJ5ApJnHh3nq2LkYuDiGB2UwSE9ufs0A4Gxkl1u64COUcYpKY+u0gM0iLkEADo8Sv D/wgNouAtsS8W0fYQGw2ARWJmW82gtkiAkoSvRv/sYLYzALyEv+vXGYCsYUFZCTOTfnGDmJz CgRKtP27xghi8wo4ShzduYwJYn6AxNFpC8BqRAV0JFbvn8ICUSMocXLmExaImVoSy6dvY5nA KDgLSWoWktQCRqZVjLIpuVW6uYmZOcWpybrFyYl5ealFuoZ6uZkleqkppZsYQYHKKcmzg/HN QaVDjAIcjEo8vAtOOoYIsSaWFVfmHmKU5GBSEuXlOAsU4kvKT6nMSCzOiC8qzUktPsQowcGs JMI7dTJQjjclsbIqtSgfJiXNwaIkzrvpB1+IkEB6YklqdmpqQWoRTFaGg0NJgrfvElCjYFFq empFWmZOCUKaiYMTZDgP0PBFIDW8xQWJucWZ6RD5U4zGHC1Nb3uZOO6c/NDLJMSSl5+XKiXO WwVSKgBSmlGaBzcNlmxeMYoDPSfMewCkigeYqODmvQJaxQS0asVvB5BVJYkIKakGRocDUz3W LpoalZy0bedq+6Xzeqc/6933YqrIqU+dFd/kT049sHzG3+5GxovbOHevvPv6WIdky4Yramf/ J0sZvStsnfFthoHI7p8+Soc1dxQrNpVcOdU+4dpq8W9VJ6V2+kruf/bCbkGCdWHaRR6OHKa5 27feUBWbXta+/d2aJW3TmJ5Ef5iuWqepxFKckWioxVxUnAgA5ypZOREDAAA= Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Oct 2014 02:43:51 -0000 On Fri, 17 Oct 2014, Ben Woods wrote: > Whilst trying to replicate data from my FreeNAS to my FreeBSD home theater > PC on my local LAN, I came across this bug preventing use of the None > cipher: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163127 > > I think I could enable the None cipher by recompiling base with a flag in > /etc/src.conf. I agree. > Is there any harm in enabling this by default, but having the None cipher > remain disabled in /etc/ssh/sshd_config? That way people wouldn't have it > on my default, but wouldn't have to recompile to enable it. I do not see any immediate and concrete harm that doing so would cause, yet that is insufficient for me to think that doing so would be a good idea. -Ben