The cipher 'none' in OpenSSH

[Dug Song]

On Fri, 14 Jan 2000, Phil Karn wrote:

> Wasn't there some weakness in the SSH protocol if the null cipher were
> supported in the endpoints even if the user doesn't choose it? It may
> have been a vulnerability to a man-in-the-middle attack, I'm not sure.

yes - markus friedl (OpenSSH developer) reported this to BUGTRAQ in early
OpenSSH development. doesn't affect OpenSSH (or the OpenBSD third-party
/usr/ports/security/ssh port either)...

-d.

---
http://www.monkey.org/~dugsong/