From owner-freebsd-current@FreeBSD.ORG Mon Oct 20 22:23:20 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 51CFF320 for ; Mon, 20 Oct 2014 22:23:20 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 28B29380 for ; Mon, 20 Oct 2014 22:23:19 +0000 (UTC) Received: from [192.168.1.2] (Seawolf.HML3.ScaleEngine.net [209.51.186.28]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 23E4362D7E for ; Mon, 20 Oct 2014 22:23:19 +0000 (UTC) Message-ID: <54458B57.60106@freebsd.org> Date: Mon, 20 Oct 2014 18:23:19 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-current@freebsd.org Subject: Re: ssh None cipher References: <5441E834.2000906@freebsd.org> <20141020183340.GC94319@spindle.one-eyed-alien.net> In-Reply-To: <20141020183340.GC94319@spindle.one-eyed-alien.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lr9mkxBmurnIWkuvbEUlWA9AET76J5ETL" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2014 22:23:20 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lr9mkxBmurnIWkuvbEUlWA9AET76J5ETL Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2014-10-20 14:33, Brooks Davis wrote: > On Sat, Oct 18, 2014 at 12:10:28AM -0400, Allan Jude wrote: >> On 2014-10-17 22:43, Benjamin Kaduk wrote: >>> On Fri, 17 Oct 2014, Ben Woods wrote: >>> >>>> Whilst trying to replicate data from my FreeNAS to my FreeBSD home t= heater >>>> PC on my local LAN, I came across this bug preventing use of the Non= e >>>> cipher: >>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D163127 >>>> >>>> I think I could enable the None cipher by recompiling base with a fl= ag in >>>> /etc/src.conf. >>> >>> I agree. >>> >>>> Is there any harm in enabling this by default, but having the None c= ipher >>>> remain disabled in /etc/ssh/sshd_config? That way people wouldn't ha= ve it >>>> on my default, but wouldn't have to recompile to enable it. >>> >>> I do not see any immediate and concrete harm that doing so would caus= e, >>> yet that is insufficient for me to think that doing so would be a goo= d >>> idea. >> >> I've been using openssh-portable from ports with the none cipher patch= >> to get around this. >> >> IIRC, upstream openssh refuses to merge the none cipher patches "becau= se >> you shouldn't do that". But I'd vote for having it compiled in and jus= t >> disabled by default. >> >> It will refuse to let you have a shell without encryption, and prints = a >> big fat hairy warning when encryption is disabled. >=20 > When Bjoern and I did the merge of the HPN patches we left None disable= > by default out of a desire to be conservative with a change we knew som= e > people didn't like. I think turning it on by default would be fine giv= en > the seatbelts in place to prevent accidental inappropriate use. >=20 > -- Brooks >=20 +1 to this. --=20 Allan Jude --lr9mkxBmurnIWkuvbEUlWA9AET76J5ETL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJURYtXAAoJEJrBFpNRJZKffG4QAIRhTMFT8f/5nXUL99DGW5Ag 722nBVgof6rALvsePoNo998QTOJ1Wj3dgOJWH8HPg0NcdfNJLHX3hYTUPlLURSKn G+Zjo23WRtjbEIMOE2rrFYRs3R0WTwQcIMQQyt+Xgix+MsPrboUefMQ1M7P7Q880 wTUVLLNKxoZFvszf/if9JDWBpGaskwgvx6ogbdcmq7gAVaR6Xqq3bDHLLb/dWNvm UkKvWbkzLtXVbkGhT6Q1iIvblTDyAZeUqLYiPgMw00ce1KlBW4USPi7tkGJbKav2 LLL3NK7s+L+TBaB5um9pw0t2K0Pyro1a3aLVQskx6JynCQX3R0eJ1GHSCM2weOKi BBpxGO77ZE8q1KAwWzvNF3itbQjy18X7MuysdDTioNBkp6nB1zp809BXL4yHassc bVBTrfOKM/nMcyLPbbDxfGoBRXWASjTZnlKnkB/Di+GUghQdW/4mjUBzWapbPdQu yl1yvrJbjAE3ZsYMjNGssPJYV+ERWHZeIpAXMGvAsszTlFYimgNNlrMPM8SUZJt6 rNQef9DMcRyso5OeiipevNwUihJIqig1Lq0FvhShglZ51tNFImqtFCmtO0Zgkbhs nL1Nkrx0kWridHmDQXcE051u183jwkvFfgumopMvdqKAinoKsBAEx1QB4KOD5bcm cCiJmyiImXXWQTa/6emk =fXoA -----END PGP SIGNATURE----- --lr9mkxBmurnIWkuvbEUlWA9AET76J5ETL--