Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 18 Oct 2014 00:10:28 -0400
From:      Allan Jude <allanjude@freebsd.org>
To:        freebsd-current@freebsd.org
Subject:   Re: ssh None cipher
Message-ID:  <5441E834.2000906@freebsd.org>
In-Reply-To: <alpine.GSO.1.10.1410172242240.27826@multics.mit.edu>
References:  <CAOc73CCvQqwg65tt9vs54CoU1HGvV7ZxLWeQwXiSOm8UjtV50w@mail.gmail.com> <alpine.GSO.1.10.1410172242240.27826@multics.mit.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--8orAXqGSb5FtwfURkCEjVSwKt5TWSr1Bo
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2014-10-17 22:43, Benjamin Kaduk wrote:
> On Fri, 17 Oct 2014, Ben Woods wrote:
>=20
>> Whilst trying to replicate data from my FreeNAS to my FreeBSD home the=
ater
>> PC on my local LAN, I came across this bug preventing use of the None
>> cipher:
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D163127
>>
>> I think I could enable the None cipher by recompiling base with a flag=
 in
>> /etc/src.conf.
>=20
> I agree.
>=20
>> Is there any harm in enabling this by default, but having the None cip=
her
>> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have=
 it
>> on my default, but wouldn't have to recompile to enable it.
>=20
> I do not see any immediate and concrete harm that doing so would cause,=

> yet that is insufficient for me to think that doing so would be a good
> idea.
>=20
> -Ben
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o=
rg"
>=20

I've been using openssh-portable from ports with the none cipher patch
to get around this.

IIRC, upstream openssh refuses to merge the none cipher patches "because
you shouldn't do that". But I'd vote for having it compiled in and just
disabled by default.

It will refuse to let you have a shell without encryption, and prints a
big fat hairy warning when encryption is disabled.

--=20
Allan Jude


--8orAXqGSb5FtwfURkCEjVSwKt5TWSr1Bo
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJUQeg3AAoJEJrBFpNRJZKfiGcQAKoEo0vJ2YvTo6MX45A+L//y
s1jWcMQaESoZ8oxkKcAVI2yic1xFKrNSru4g0/m9awO4KuGjrnx/guy0DK+x7Ge3
B/HqAGIKZFuYbsPnxQhxLF8jpjxudbMPM/RO1Qr1KcqQuGwInR6OHjt+c8Yif6r1
0pLayFB69m6eCdUfGEBmdznl43jlhZWhABk4pj7rTq6zO/IhbiEX6vaAHwqIsRj2
3jFr2PL4roH49VvyKfNO7k3bNJO1mekaJ0YPtWJJigxJeBVzWfay2/sJr2urwnhk
MNbr8fQ5zqiN2oJaZYA1q8pkaUSCsrqhk5iBgLJRucYXTKo0L+3pEPTv7bN0ozZW
0hi/wry1JuYZrj3oEKWzHqfVytVwg7WIOcqVxMu/m0JaV9GHv0+fNxoBQ71LWhiH
Pb0VgBK06Xzx9zrhgtHRPG4QP5zxcaZXijiiDsNEcpgZYR2Hv2Sra7Yd0MUrj+eI
flyR9ycw8bCnKoG8cobHU2qDyfe7uKA4BFNlmobd5VkLcig5zHr0eXxEcBa/5uYM
blHA3bRKyNNXmDmK65prvItWhtPdrH+MTwPbe86AfYe2xyzi3kiRp08bjEYwCaXC
f/QAe63ugfblWJ+Czdx52hpN82BLK5ZFhf7r9hEcZ/mAGjesbx31YjWh4IaRj/nE
bXf1K0tMZAbUmbA3ebiA
=Dkz8
-----END PGP SIGNATURE-----

--8orAXqGSb5FtwfURkCEjVSwKt5TWSr1Bo--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5441E834.2000906>