On 2014-10-20 14:33, Brooks Davis wrote: > On Sat, Oct 18, 2014 at 12:10:28AM -0400, Allan Jude wrote: >> On 2014-10-17 22:43, Benjamin Kaduk wrote: >>> On Fri, 17 Oct 2014, Ben Woods wrote: >>> >>>> Whilst trying to replicate data from my FreeNAS to my FreeBSD home theater >>>> PC on my local LAN, I came across this bug preventing use of the None >>>> cipher: >>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163127 >>>> >>>> I think I could enable the None cipher by recompiling base with a flag in >>>> /etc/src.conf. >>> >>> I agree. >>> >>>> Is there any harm in enabling this by default, but having the None cipher >>>> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have it >>>> on my default, but wouldn't have to recompile to enable it. >>> >>> I do not see any immediate and concrete harm that doing so would cause, >>> yet that is insufficient for me to think that doing so would be a good >>> idea. >> >> I've been using openssh-portable from ports with the none cipher patch >> to get around this. >> >> IIRC, upstream openssh refuses to merge the none cipher patches "because >> you shouldn't do that". But I'd vote for having it compiled in and just >> disabled by default. >> >> It will refuse to let you have a shell without encryption, and prints a >> big fat hairy warning when encryption is disabled. > > When Bjoern and I did the merge of the HPN patches we left None disable > by default out of a desire to be conservative with a change we knew some > people didn't like. I think turning it on by default would be fine given > the seatbelts in place to prevent accidental inappropriate use. > > -- Brooks > +1 to this. -- Allan Jude
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:53 UTC