Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 18 Oct 2014 12:54:32 +0200
From:      Mark Martinec <Mark.Martinec+freebsd@ijs.si>
To:        freebsd-current@freebsd.org
Subject:   Re: ssh None cipher
Message-ID:  <544246E8.1090001@ijs.si>
In-Reply-To: <5441E834.2000906@freebsd.org>
References:  <CAOc73CCvQqwg65tt9vs54CoU1HGvV7ZxLWeQwXiSOm8UjtV50w@mail.gmail.com> <alpine.GSO.1.10.1410172242240.27826@multics.mit.edu> <5441E834.2000906@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
If the purpose of having a none cipher is to have a fast
file transfer, then one should be using  sysutils/bbcp
for that purposes. Uses ssd for authentication, and
opens unencrypted channel(s) for the actual data transfer.
It's also very fast, can use multiple TCP streams.

   Mark


On 10/18/14 06:10, Allan Jude wrote:
> On 2014-10-17 22:43, Benjamin Kaduk wrote:
>> On Fri, 17 Oct 2014, Ben Woods wrote:
>>
>>> Whilst trying to replicate data from my FreeNAS to my FreeBSD home theater
>>> PC on my local LAN, I came across this bug preventing use of the None
>>> cipher:
>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163127
>>>
>>> I think I could enable the None cipher by recompiling base with a flag in
>>> /etc/src.conf.
>>
>> I agree.
>>
>>> Is there any harm in enabling this by default, but having the None cipher
>>> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have it
>>> on my default, but wouldn't have to recompile to enable it.
>>
>> I do not see any immediate and concrete harm that doing so would cause,
>> yet that is insufficient for me to think that doing so would be a good
>> idea.
>>
>> -Ben
>> _______________________________________________
>> freebsd-current@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
>>
>
> I've been using openssh-portable from ports with the none cipher patch
> to get around this.
>
> IIRC, upstream openssh refuses to merge the none cipher patches "because
> you shouldn't do that". But I'd vote for having it compiled in and just
> disabled by default.
>
> It will refuse to let you have a shell without encryption, and prints a
> big fat hairy warning when encryption is disabled.
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?544246E8.1090001>