ssh None cipher

Allan Jude allanjude at
Mon Oct 20 22:23:20 UTC 2014

On 2014-10-20 14:33, Brooks Davis wrote:
> On Sat, Oct 18, 2014 at 12:10:28AM -0400, Allan Jude wrote:
>> On 2014-10-17 22:43, Benjamin Kaduk wrote:
>>> On Fri, 17 Oct 2014, Ben Woods wrote:
>>>> Whilst trying to replicate data from my FreeNAS to my FreeBSD home theater
>>>> PC on my local LAN, I came across this bug preventing use of the None
>>>> cipher:
>>>> I think I could enable the None cipher by recompiling base with a flag in
>>>> /etc/src.conf.
>>> I agree.
>>>> Is there any harm in enabling this by default, but having the None cipher
>>>> remain disabled in /etc/ssh/sshd_config? That way people wouldn't have it
>>>> on my default, but wouldn't have to recompile to enable it.
>>> I do not see any immediate and concrete harm that doing so would cause,
>>> yet that is insufficient for me to think that doing so would be a good
>>> idea.
>> I've been using openssh-portable from ports with the none cipher patch
>> to get around this.
>> IIRC, upstream openssh refuses to merge the none cipher patches "because
>> you shouldn't do that". But I'd vote for having it compiled in and just
>> disabled by default.
>> It will refuse to let you have a shell without encryption, and prints a
>> big fat hairy warning when encryption is disabled.
> When Bjoern and I did the merge of the HPN patches we left None disable
> by default out of a desire to be conservative with a change we knew some
> people didn't like.  I think turning it on by default would be fine given
> the seatbelts in place to prevent accidental inappropriate use.
> -- Brooks

+1 to this.

Allan Jude

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-current mailing list