Warning message at password prompt

Frank Cusack fcusack at fcusack.com
Fri Feb 15 20:48:23 EST 2002 

On Thu, Feb 14, 2002 at 10:10:07AM +0000, Edward Avis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, 14 Feb 2002, Damien Miller wrote:
> 
> >>I've patched my local OpenSSH (currently 2.9p2, but the same patch
> >>applies to 3.0.2) to allow the cipher 'none' for both SSH1 and SSH2
> >>connections.  With SSH1, there is already code to print a warning
> >>that any password you enter will be sent in plain text.  However the
> >>userauth_passwd() in sshconnect2.c does not have any such warning.

Your patch is inadequate, then. :-) Try this, it works for me.  It's against
3.0.2p1.  You need 'none2' otherwise you can't do a 'none' encryption with
protocol 2.  (In the openssh implementation, "keywords" for encryption types
cannot be shared for protocol 1/2.)

--- openssh.orig/cipher.c
+++ openssh/cipher.c
@@ -364,6 +364,10 @@
 		blowfish_setkey, blowfish_setiv,
 		blowfish_ssh1_encrypt, blowfish_ssh1_decrypt },
 
+	{ "none2",
+		SSH_CIPHER_SSH2, 8, 0,
+		none_setkey, none_setiv,
+		none_crypt, none_crypt },
 	{ "3des-cbc",
 		SSH_CIPHER_SSH2, 8, 24,
 		des3_setkey, des3_setiv,
@@ -419,6 +423,7 @@
 	u_int mask = 0;
 	mask |= 1 << SSH_CIPHER_3DES;           /* Mandatory */
 	mask |= 1 << SSH_CIPHER_BLOWFISH;
+	mask |= 1 << SSH_CIPHER_NONE;
 	if (client) {
 		mask |= 1 << SSH_CIPHER_DES;
 	}

--- openssh.orig/ssh.c
+++ openssh/ssh.c
@@ -438,6 +438,8 @@
 					options.ciphers = "3des-cbc";
 				else if (options.cipher == SSH_CIPHER_BLOWFISH)
 					options.ciphers = "blowfish-cbc";
+				else if (options.cipher == SSH_CIPHER_NONE)
+					options.ciphers = "none2";
 				else
 					options.ciphers = (char *)-1;
 			}

--- openssh.orig/sshconnect1.c
+++ openssh/sshconnect1.c
@@ -848,7 +848,7 @@
 			error("Permission denied, please try again.");
 		if (options.cipher == SSH_CIPHER_NONE)
 			log("WARNING: Encryption is disabled! "
-			    "Reponse will be transmitted in clear text.");
+			    "Response will be transmitted in clear text.");
 		response = read_passphrase(prompt, RP_ECHO);
 		if (strcmp(response, "") == 0) {
 			xfree(response);

--- openssh.orig/sshconnect2.c
+++ openssh/sshconnect2.c
@@ -449,6 +449,9 @@
 	if(attempt != 1)
 		error("Permission denied, please try again.");
 
+	if (!strcmp("none2", options.ciphers))
+		log("WARNING: Encryption is disabled! "
+		    "Response will be transmitted in clear text.");
 	snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
 	    authctxt->server_user, authctxt->host);
 	password = read_passphrase(prompt, 0);
@@ -750,6 +753,9 @@
 		return 0;
 	}
 
+	if (!strcmp("none2", options.ciphers))
+		log("WARNING: Encryption is disabled! "
+		    "Response will be transmitted in clear text.");
 	debug2("userauth_kbdint");
 	packet_start(SSH2_MSG_USERAUTH_REQUEST);
 	packet_put_cstring(authctxt->server_user);
--- openssh.orig/ssh.1
+++ openssh/ssh.1
@@ -391,7 +391,7 @@
 .It Fl b Ar bind_address
 Specify the interface to transmit from on machines with multiple
 interfaces or aliased addresses.
-.It Fl c Ar blowfish|3des|des
+.It Fl c Ar blowfish|3des|des|none
 Selects the cipher to use for encrypting the session.
 .Ar 3des
 is used by default.
@@ -743,9 +743,10 @@
 in protocol version 1.
 Currently,
 .Dq blowfish ,
-.Dq 3des ,
+.Dq 3des
+.Dq des ,
 and
-.Dq des
+.Dq none
 are supported.
 .Ar des
 is only supported in the

More information about the openssh-unix-dev mailing list