[Bug 877] ssh 3.8.1p1 client cannot disable encryption with "-c none"
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Jun 7 05:56:01 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=877
------- Additional Comments From indy94538 at yahoo.com 2004-06-07 05:55 -------
My bug was marked a duplicate of this one - so I'm adding in my opinion.
First, this is a matter of separation of policy and mechanism. Openssh should
provide the mechanisms - in this case the "none" cipher - and the policy of
whether or not to use it should be left to the user. This much is standard
systems practice.
Mohit has already given one situation where encryption is undesirable - the
data is already being encrypted by the VPN. Over such a connection, Ben's
concerns related to leaking data with unencrypted ssh channel doesn't apply.
What openssh can do is to disable the "none" cipher in sshd by default. Let the
sysadmins explicitly add "none" as one of the acceptable ciphers in
/etc/ssh/sshd_config. That way the policy will be left to the administrators
with reasonable defaults. Another safeguard might be to throw a warning message
in the ssh client when the "none" cipher is being used. But I firmly believe
the mechanism still needs to be supported.
In the absence of the "none" cipher, companies are themselves hacking the
openssh code to provide support for it. This is obviously undesirable as doing
so might cause other unexpected bugs to creep in.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list