[Bug 877] ssh 3.8.1p1 client cannot disable encryption with "-c none"
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Jun 7 06:12:41 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=877
------- Additional Comments From mohit_aron at hotmail.com 2004-06-07 06:12 -------
Here is a posting made by Richard Silverman on comp.security.ssh that makes
several good points in support of this bug:
BU> ??? What is the point of using ssh or scp without a cypher? Just
BU> use ftp, or rcp or whatever. It is NOT secure.
This point of view is much too simplistic; a connection is not just
"secure" or "not secure" as if flipping a light switch. An SSH-2
connection using a null encryption cipher still has:
- server authentication and man-in-the-middle attack protection
(i.e. you know who you're talking to)
- cryptographically assured integrity protection (i.e. you know the data
is passed unchanged from one end to the other)
- strong client authentication (assuming obvious mistakes aren't made,
such as using password authentication over an unencrypted connection --
most implementations disallow this)
So, if you don't care about privacy, but do care about these other
properties, then using SSH with a null encryption cipher makes perfect
sense. Similar motivations are behind the existence of AH mode in IPSec
as well as ESP. In particular, it makes *no* sense to compare unencrypted
SSH with "FTP, or rcp, or whatever;" these are entirely different.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list