Date: Sat, 18 Oct 2014 12:54:32 +0200 From: Mark Martinec <Mark.Martinec+freebsd@ijs.si> To: freebsd-current@freebsd.org Subject: Re: ssh None cipher Message-ID: <544246E8.1090001@ijs.si> In-Reply-To: <5441E834.2000906@freebsd.org> References: <CAOc73CCvQqwg65tt9vs54CoU1HGvV7ZxLWeQwXiSOm8UjtV50w@mail.gmail.com> <alpine.GSO.1.10.1410172242240.27826@multics.mit.edu> <5441E834.2000906@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
If the purpose of having a none cipher is to have a fast file transfer, then one should be using sysutils/bbcp for that purposes. Uses ssd for authentication, and opens unencrypted channel(s) for the actual data transfer. It's also very fast, can use multiple TCP streams. Mark On 10/18/14 06:10, Allan Jude wrote: > On 2014-10-17 22:43, Benjamin Kaduk wrote: >> On Fri, 17 Oct 2014, Ben Woods wrote: >> >>> Whilst trying to replicate data from my FreeNAS to my FreeBSD home theater >>> PC on my local LAN, I came across this bug preventing use of the None >>> cipher: >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163127 >>> >>> I think I could enable the None cipher by recompiling base with a flag in >>> /etc/src.conf. >> >> I agree. >> >>> Is there any harm in enabling this by default, but having the None cipher >>> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have it >>> on my default, but wouldn't have to recompile to enable it. >> >> I do not see any immediate and concrete harm that doing so would cause, >> yet that is insufficient for me to think that doing so would be a good >> idea. >> >> -Ben >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >> > > I've been using openssh-portable from ports with the none cipher patch > to get around this. > > IIRC, upstream openssh refuses to merge the none cipher patches "because > you shouldn't do that". But I'd vote for having it compiled in and just > disabled by default. > > It will refuse to let you have a shell without encryption, and prints a > big fat hairy warning when encryption is disabled. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?544246E8.1090001>