Warning message at password prompt

Edward Avis epa98 at doc.ic.ac.uk
Thu Feb 14 21:10:07 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 14 Feb 2002, Damien Miller wrote:

>>I've patched my local OpenSSH (currently 2.9p2, but the same patch
>>applies to 3.0.2) to allow the cipher 'none' for both SSH1 and SSH2
>>connections.  With SSH1, there is already code to print a warning
>>that any password you enter will be sent in plain text.  However the
>>userauth_passwd() in sshconnect2.c does not have any such warning.

>I don't understand, OpenSSH always uses encryption.

I just wanted to ask if there is any way for userauth_passwd() to find
out what kind of encryption is being used.  Then if the encryption is
'none' it can print a warning or maybe disallow plain text passwords
entirely.

The standard OpenSSH release does not support 'none', only 3DES and
Blowfish (AFAIK), so there is no need for such a warning.  But I would
like to add the code for it to my local copy which I have patched to
enable unencrypted connections.  I understand that the OpenSSH
maintainers don't want to support this in the main release, but it is
useful to me and to some others.

If anyone could suggest ways to find out what from sshconnect2.c what
cipher is being used, that would be a real help.

- -- 
Ed Avis <epa98 at doc.ic.ac.uk>
Finger for PGP key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8a40BIMp73jhGogoRAsdVAJ4oCko1w/mGyISDiJFzLbckeEbzrwCfXMUa
KA65Bh4hao6KEX7llBB/ct8=
=u3IU
-----END PGP SIGNATURE-----




More information about the openssh-unix-dev mailing list