From owner-freebsd-current@FreeBSD.ORG Sat Oct 18 10:54:47 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E8D703EC for ; Sat, 18 Oct 2014 10:54:46 +0000 (UTC) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) by mx1.freebsd.org (Postfix) with ESMTP id 9A088FB7 for ; Sat, 18 Oct 2014 10:54:46 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3jKh2D0bfgz17G for ; Sat, 18 Oct 2014 12:54:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= content-transfer-encoding:content-type:content-type:in-reply-to :references:subject:subject:mime-version:user-agent:organization :from:from:date:date:message-id:received:received:received; s= jakla4; t=1413629679; x=1416221680; bh=exVKDnnDuU3ttj8AN79NulqAG cet2Zw3dYRGQQlLqWs=; b=YRfu8x3Hf6j+hwO1PyXsIKn3KBdjv9VMnEMZl7Rln QIF6Akvwma5i8YHXiLgScpedFl+KiS9RADA1Y3DJOhgStB0MFiq/xQqeILf3lksE XGuhePffuF2cCEyJII7unCVslYqFAyZExDBLRhBWJgjBo1Wqc6fAmLngpsi2FMlM w4= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id fJ0wHwyDIO83 for ; Sat, 18 Oct 2014 12:54:39 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP for ; Sat, 18 Oct 2014 12:54:39 +0200 (CEST) Received: from sleepy.ijs.si (sleepy.ijs.si [IPv6:2001:1470:ff80:e001::1:1]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mildred.ijs.si (Postfix) with ESMTPSA id 3jKh266wKxzsm for ; Sat, 18 Oct 2014 12:54:38 +0200 (CEST) Message-ID: <544246E8.1090001@ijs.si> Date: Sat, 18 Oct 2014 12:54:32 +0200 From: Mark Martinec Organization: J. Stefan Institute User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-current@freebsd.org Subject: Re: ssh None cipher References: <5441E834.2000906@freebsd.org> In-Reply-To: <5441E834.2000906@freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Oct 2014 10:54:47 -0000 If the purpose of having a none cipher is to have a fast file transfer, then one should be using sysutils/bbcp for that purposes. Uses ssd for authentication, and opens unencrypted channel(s) for the actual data transfer. It's also very fast, can use multiple TCP streams. Mark On 10/18/14 06:10, Allan Jude wrote: > On 2014-10-17 22:43, Benjamin Kaduk wrote: >> On Fri, 17 Oct 2014, Ben Woods wrote: >> >>> Whilst trying to replicate data from my FreeNAS to my FreeBSD home theater >>> PC on my local LAN, I came across this bug preventing use of the None >>> cipher: >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163127 >>> >>> I think I could enable the None cipher by recompiling base with a flag in >>> /etc/src.conf. >> >> I agree. >> >>> Is there any harm in enabling this by default, but having the None cipher >>> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have it >>> on my default, but wouldn't have to recompile to enable it. >> >> I do not see any immediate and concrete harm that doing so would cause, >> yet that is insufficient for me to think that doing so would be a good >> idea. >> >> -Ben >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >> > > I've been using openssh-portable from ports with the none cipher patch > to get around this. > > IIRC, upstream openssh refuses to merge the none cipher patches "because > you shouldn't do that". But I'd vote for having it compiled in and just > disabled by default. > > It will refuse to let you have a shell without encryption, and prints a > big fat hairy warning when encryption is disabled. >