Re: ssh None cipher

From: Allan Jude <allanjude_at_freebsd.org>
Date: Mon, 20 Oct 2014 18:23:19 -0400
On 2014-10-20 14:33, Brooks Davis wrote:
> On Sat, Oct 18, 2014 at 12:10:28AM -0400, Allan Jude wrote:
>> On 2014-10-17 22:43, Benjamin Kaduk wrote:
>>> On Fri, 17 Oct 2014, Ben Woods wrote:
>>>
>>>> Whilst trying to replicate data from my FreeNAS to my FreeBSD home theater
>>>> PC on my local LAN, I came across this bug preventing use of the None
>>>> cipher:
>>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163127
>>>>
>>>> I think I could enable the None cipher by recompiling base with a flag in
>>>> /etc/src.conf.
>>>
>>> I agree.
>>>
>>>> Is there any harm in enabling this by default, but having the None cipher
>>>> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have it
>>>> on my default, but wouldn't have to recompile to enable it.
>>>
>>> I do not see any immediate and concrete harm that doing so would cause,
>>> yet that is insufficient for me to think that doing so would be a good
>>> idea.
>>
>> I've been using openssh-portable from ports with the none cipher patch
>> to get around this.
>>
>> IIRC, upstream openssh refuses to merge the none cipher patches "because
>> you shouldn't do that". But I'd vote for having it compiled in and just
>> disabled by default.
>>
>> It will refuse to let you have a shell without encryption, and prints a
>> big fat hairy warning when encryption is disabled.
> 
> When Bjoern and I did the merge of the HPN patches we left None disable
> by default out of a desire to be conservative with a change we knew some
> people didn't like.  I think turning it on by default would be fine given
> the seatbelts in place to prevent accidental inappropriate use.
> 
> -- Brooks
> 

+1 to this.

-- 
Allan Jude


Received on Mon Oct 20 2014 - 20:23:20 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:53 UTC