From owner-freebsd-current@FreeBSD.ORG Mon Oct 20 18:33:41 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1CAAE5EA; Mon, 20 Oct 2014 18:33:41 +0000 (UTC) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) by mx1.freebsd.org (Postfix) with ESMTP id EC4C87C4; Mon, 20 Oct 2014 18:33:40 +0000 (UTC) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 5C5945A9F25; Mon, 20 Oct 2014 18:33:40 +0000 (UTC) Date: Mon, 20 Oct 2014 18:33:40 +0000 From: Brooks Davis To: Allan Jude Subject: Re: ssh None cipher Message-ID: <20141020183340.GC94319@spindle.one-eyed-alien.net> References: <5441E834.2000906@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pvezYHf7grwyp3Bc" Content-Disposition: inline In-Reply-To: <5441E834.2000906@freebsd.org> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2014 18:33:41 -0000 --pvezYHf7grwyp3Bc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Oct 18, 2014 at 12:10:28AM -0400, Allan Jude wrote: > On 2014-10-17 22:43, Benjamin Kaduk wrote: > > On Fri, 17 Oct 2014, Ben Woods wrote: > >=20 > >> Whilst trying to replicate data from my FreeNAS to my FreeBSD home the= ater > >> PC on my local LAN, I came across this bug preventing use of the None > >> cipher: > >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D163127 > >> > >> I think I could enable the None cipher by recompiling base with a flag= in > >> /etc/src.conf. > >=20 > > I agree. > >=20 > >> Is there any harm in enabling this by default, but having the None cip= her > >> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have= it > >> on my default, but wouldn't have to recompile to enable it. > >=20 > > I do not see any immediate and concrete harm that doing so would cause, > > yet that is insufficient for me to think that doing so would be a good > > idea. >=20 > I've been using openssh-portable from ports with the none cipher patch > to get around this. >=20 > IIRC, upstream openssh refuses to merge the none cipher patches "because > you shouldn't do that". But I'd vote for having it compiled in and just > disabled by default. >=20 > It will refuse to let you have a shell without encryption, and prints a > big fat hairy warning when encryption is disabled. When Bjoern and I did the merge of the HPN patches we left None disable by default out of a desire to be conservative with a change we knew some people didn't like. I think turning it on by default would be fine given the seatbelts in place to prevent accidental inappropriate use. -- Brooks --pvezYHf7grwyp3Bc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRFVYMACgkQXY6L6fI4GtSxygCgsjY+w69Ao0gcA6Ku5uhL/UvF aLUAoJGBDMSx6LpXYuKM7sLVHtmVOb0t =9tAH -----END PGP SIGNATURE----- --pvezYHf7grwyp3Bc--