From owner-freebsd-current@FreeBSD.ORG Sat Oct 18 04:10:23 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A88DAA34 for ; Sat, 18 Oct 2014 04:10:23 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 818E6A2C for ; Sat, 18 Oct 2014 04:10:22 +0000 (UTC) Received: from [192.168.1.2] (Seawolf.HML3.ScaleEngine.net [209.51.186.28]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 53B656199B for ; Sat, 18 Oct 2014 04:10:15 +0000 (UTC) Message-ID: <5441E834.2000906@freebsd.org> Date: Sat, 18 Oct 2014 00:10:28 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-current@freebsd.org Subject: Re: ssh None cipher References: In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8orAXqGSb5FtwfURkCEjVSwKt5TWSr1Bo" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Oct 2014 04:10:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --8orAXqGSb5FtwfURkCEjVSwKt5TWSr1Bo Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2014-10-17 22:43, Benjamin Kaduk wrote: > On Fri, 17 Oct 2014, Ben Woods wrote: >=20 >> Whilst trying to replicate data from my FreeNAS to my FreeBSD home the= ater >> PC on my local LAN, I came across this bug preventing use of the None >> cipher: >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D163127 >> >> I think I could enable the None cipher by recompiling base with a flag= in >> /etc/src.conf. >=20 > I agree. >=20 >> Is there any harm in enabling this by default, but having the None cip= her >> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have= it >> on my default, but wouldn't have to recompile to enable it. >=20 > I do not see any immediate and concrete harm that doing so would cause,= > yet that is insufficient for me to think that doing so would be a good > idea. >=20 > -Ben > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o= rg" >=20 I've been using openssh-portable from ports with the none cipher patch to get around this. IIRC, upstream openssh refuses to merge the none cipher patches "because you shouldn't do that". But I'd vote for having it compiled in and just disabled by default. It will refuse to let you have a shell without encryption, and prints a big fat hairy warning when encryption is disabled. --=20 Allan Jude --8orAXqGSb5FtwfURkCEjVSwKt5TWSr1Bo Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJUQeg3AAoJEJrBFpNRJZKfiGcQAKoEo0vJ2YvTo6MX45A+L//y s1jWcMQaESoZ8oxkKcAVI2yic1xFKrNSru4g0/m9awO4KuGjrnx/guy0DK+x7Ge3 B/HqAGIKZFuYbsPnxQhxLF8jpjxudbMPM/RO1Qr1KcqQuGwInR6OHjt+c8Yif6r1 0pLayFB69m6eCdUfGEBmdznl43jlhZWhABk4pj7rTq6zO/IhbiEX6vaAHwqIsRj2 3jFr2PL4roH49VvyKfNO7k3bNJO1mekaJ0YPtWJJigxJeBVzWfay2/sJr2urwnhk MNbr8fQ5zqiN2oJaZYA1q8pkaUSCsrqhk5iBgLJRucYXTKo0L+3pEPTv7bN0ozZW 0hi/wry1JuYZrj3oEKWzHqfVytVwg7WIOcqVxMu/m0JaV9GHv0+fNxoBQ71LWhiH Pb0VgBK06Xzx9zrhgtHRPG4QP5zxcaZXijiiDsNEcpgZYR2Hv2Sra7Yd0MUrj+eI flyR9ycw8bCnKoG8cobHU2qDyfe7uKA4BFNlmobd5VkLcig5zHr0eXxEcBa/5uYM blHA3bRKyNNXmDmK65prvItWhtPdrH+MTwPbe86AfYe2xyzi3kiRp08bjEYwCaXC f/QAe63ugfblWJ+Czdx52hpN82BLK5ZFhf7r9hEcZ/mAGjesbx31YjWh4IaRj/nE bXf1K0tMZAbUmbA3ebiA =Dkz8 -----END PGP SIGNATURE----- --8orAXqGSb5FtwfURkCEjVSwKt5TWSr1Bo--