ssh None cipher

Brooks Davis brooks at freebsd.org
Mon Oct 20 18:33:41 UTC 2014


On Sat, Oct 18, 2014 at 12:10:28AM -0400, Allan Jude wrote:
> On 2014-10-17 22:43, Benjamin Kaduk wrote:
> > On Fri, 17 Oct 2014, Ben Woods wrote:
> > 
> >> Whilst trying to replicate data from my FreeNAS to my FreeBSD home theater
> >> PC on my local LAN, I came across this bug preventing use of the None
> >> cipher:
> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163127
> >>
> >> I think I could enable the None cipher by recompiling base with a flag in
> >> /etc/src.conf.
> > 
> > I agree.
> > 
> >> Is there any harm in enabling this by default, but having the None cipher
> >> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have it
> >> on my default, but wouldn't have to recompile to enable it.
> > 
> > I do not see any immediate and concrete harm that doing so would cause,
> > yet that is insufficient for me to think that doing so would be a good
> > idea.
> 
> I've been using openssh-portable from ports with the none cipher patch
> to get around this.
> 
> IIRC, upstream openssh refuses to merge the none cipher patches "because
> you shouldn't do that". But I'd vote for having it compiled in and just
> disabled by default.
> 
> It will refuse to let you have a shell without encryption, and prints a
> big fat hairy warning when encryption is disabled.

When Bjoern and I did the merge of the HPN patches we left None disable
by default out of a desire to be conservative with a change we knew some
people didn't like.  I think turning it on by default would be fine given
the seatbelts in place to prevent accidental inappropriate use.

-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20141020/f15c612b/attachment.sig>


More information about the freebsd-current mailing list