From owner-freebsd-current@freebsd.org Wed Nov 11 16:18:56 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08091A2CE2B; Wed, 11 Nov 2015 16:18:56 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.21.123]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smtp-sofia.digsys.bg", Issuer "Digital Systems Operational CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E21A12FC; Wed, 11 Nov 2015 16:18:54 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from [193.68.6.100] ([193.68.6.100]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.9/8.14.9) with ESMTP id tABFnqWN067183 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Nov 2015 17:49:53 +0200 (EET) (envelope-from daniel@digsys.bg) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Subject: Re: OpenSSH HPN From: Daniel Kalchev In-Reply-To: Date: Wed, 11 Nov 2015 17:49:52 +0200 Cc: John-Mark Gurney , Ben Woods , Bryan Drewery , =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> To: Jason Birch X-Mailer: Apple Mail (2.3096.5) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:18:56 -0000 It is my understanding, that using the NONE cypher is not identical to = using =E2=80=9Cthe old tools=E2=80=9D (rsh/rlogin/rcp). When ssh uses the NONE cypher, credentials and authorization are still = encrypted and verified. Only the actual data payload is not encrypted. Perhaps similar level of security could be achieved by =E2=80=9Cthe old = tools=E2=80=9D if they were by default compiled with Kerberos. Although, = this still requires building additional infrastructure. I must have missed the explanation. But why having a NONE cypher = compiled in, but disabled in the configuration is a bad idea? Daniel > On 11.11.2015 =D0=B3., at 10:55, Jason Birch = wrote: >=20 > On Wed, Nov 11, 2015 at 6:59 PM, John-Mark Gurney = wrote: >> If you have a trusted network, why not just use nc? >=20 > Perhaps more generally relevant is that ssh/scp are *waves hands* = vaguely > analogous to secure versions of rsh/rlogin/rcp. I'd think that most = cases > of "I wanted to send files and invoke some commands on a remote = machine, > and due to $CIRCUMSTANCE I don't need or desire encryption" are = covered > by the older, also standard tools. Additionally, rsync can use rsh as = its > transport, for users who desire more advanced behaviour. ssh just = seems > to have more support; Installation will ask you if you'd like to run = sshd > (not rshd), ssh is rather ubiquitous as a way of "doing a thing = remotely" > (even in Windows soon!), etc. This is a good default to have; the > overhead of security is tiny in nearly all cases. >=20 > It would seem then that the extra complexity of maintenance = development > in supporting NONE in base doesn't really grant us any additional > functionality in most cases. It's just more 'obvious'. > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org"