[Bug 877] ssh 3.8.1p1 client cannot disable encryption with "-c none"

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jun 8 07:46:11 EST 2004


------- Additional Comments From mohit_aron at hotmail.com  2004-06-08 07:46 -------

> How can the user tell that the traffic is still IPsec protected?
> IPsec is per packet, and after flushing SAs the connection
> might be unprotected.  How can SSH tell?

(1) In some cases, e.g. transferring a large file available publically, it is 
    always ok to do the transfer in plaintext.

(2) If security beyond the VPN concentrators is of concern, the sysadmins
    can refrain from allowing the "none" cipher on sshd.

(3) Ultimately, the judgement should lie with the user. When he uses "-c none"
    he understands the associated security risks. Users should control the
    policy. A seasoned user can then effectively use it to his/her advantage.

(4) Naive users would be protected if the defaults are reasonable and
    the option to do "none" is arcane and possibly not listed in the manpage.
    (Even the cipher arcfour is not listed in the manpage for ssh).

I'll try getting the performance results you asked for later today.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list