From owner-freebsd-security  Wed Aug 22 14:10:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP id 4052237B40D
	for <freebsd-security@FreeBSD.ORG>; Wed, 22 Aug 2001 14:10:28 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.4/8.11.2) id f7MLAJU78729;
	Wed, 22 Aug 2001 14:10:19 -0700 (PDT)
	(envelope-from dillon)
Date: Wed, 22 Aug 2001 14:10:19 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200108222110.f7MLAJU78729@earth.backplane.com>
To: James Wyatt <jwyatt@rwsystems.net>
Cc: Rob Simmons <rsimmons@wlcg.com>,
	Matt Piechota <piechota@argolis.org>, Wes Peters <wes@softweyr.com>,
	"Carroll, D. (Danny)" <Danny.Carroll@mail.ing.nl>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Silly crackers... NT is for kids...
References:  <Pine.BSF.4.10.10108211807510.2334-100000@bsdie.rwsystems.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


:> On Tue, 21 Aug 2001, Matt Piechota wrote:
:> > No No, on the realtime machine controllers (QNX), or OCR nodes that need
:> > all the cpu cycles they can get.  I'm talking about the [de|en]crypt on
:> > the remote side, not the PC side.  Every bit or performance matters, and
:> > could be the difference between us and someone else getting a contract.
:> 
:> There should be a way to configure sshd so that only the username/password
:> exchange is encrypted.  The rest of the connection would be unencrypted.
:> You would get some of the benefits of ssh without a constant performance
:> hit.
:
:IMHO, that would be a "bad idea" as it would 1) be easier to insert forged
:command packets after browsing what was going on, 2) break changing your
:password because it could be sniffed at change time, 3) not save *that*
:much CPU for tactical shell sessions, and 4) confuse users who thought SSH
:..

    There is the ability to specify '-c none' (no cipher) to ssh.  Our ssh
    does not compile the 'none' cipher in by default but you should be able
    to build the distribution with that feature.

    I am not sure whether it still encrypts passwords or key-exchange when
    -c none is specified, but I do know it doesn't encrypt the data stream
    once the connection is operational.

    Perhaps someone more knowledgeable in regards to ssh can answer the
    question.

						-Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message