Re: ssh None cipher

From: Allan Jude <allanjude_at_freebsd.org>
Date: Sat, 18 Oct 2014 00:10:28 -0400
On 2014-10-17 22:43, Benjamin Kaduk wrote:
> On Fri, 17 Oct 2014, Ben Woods wrote:
> 
>> Whilst trying to replicate data from my FreeNAS to my FreeBSD home theater
>> PC on my local LAN, I came across this bug preventing use of the None
>> cipher:
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163127
>>
>> I think I could enable the None cipher by recompiling base with a flag in
>> /etc/src.conf.
> 
> I agree.
> 
>> Is there any harm in enabling this by default, but having the None cipher
>> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have it
>> on my default, but wouldn't have to recompile to enable it.
> 
> I do not see any immediate and concrete harm that doing so would cause,
> yet that is insufficient for me to think that doing so would be a good
> idea.
> 
> -Ben
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
> 

I've been using openssh-portable from ports with the none cipher patch
to get around this.

IIRC, upstream openssh refuses to merge the none cipher patches "because
you shouldn't do that". But I'd vote for having it compiled in and just
disabled by default.

It will refuse to let you have a shell without encryption, and prints a
big fat hairy warning when encryption is disabled.

-- 
Allan Jude


Received on Sat Oct 18 2014 - 02:10:23 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:53 UTC