OpenSSH HPN

[Daniel Kalchev]

It is my understanding, that using the NONE cypher is not identical to using “the old tools” (rsh/rlogin/rcp).

When ssh uses the NONE cypher, credentials and authorization are still encrypted and verified. Only the actual data payload is not encrypted.

Perhaps similar level of security could be achieved by “the old tools” if they were by default compiled with Kerberos. Although, this still requires building additional infrastructure.

I must have missed the explanation. But why having a NONE cypher compiled in, but disabled in the configuration is a bad idea?

Daniel


> On 11.11.2015 г., at 10:55, Jason Birch <jbirch at jbirch.net> wrote:
> 
> On Wed, Nov 11, 2015 at 6:59 PM, John-Mark Gurney <jmg at funkthat.com> wrote:
>> If you have a trusted network, why not just use nc?
> 
> Perhaps more generally relevant is that ssh/scp are *waves hands* vaguely
> analogous to secure versions of rsh/rlogin/rcp. I'd think that most cases
> of "I wanted to send files and invoke some commands on a remote machine,
> and due to $CIRCUMSTANCE I don't need or desire encryption" are covered
> by the older, also standard tools. Additionally, rsync can use rsh as its
> transport, for users who desire more advanced behaviour. ssh just seems
> to have more support; Installation will ask you if you'd like to run sshd
> (not rshd), ssh is rather ubiquitous as a way of "doing a thing remotely"
> (even in Windows soon!), etc. This is a good default to have; the
> overhead of security is tiny in nearly all cases.
> 
> It would seem then that the extra complexity of maintenance development
> in supporting NONE in base doesn't really grant us any additional
> functionality in most cases. It's just more 'obvious'.
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"