encrypt authentication credentials with payload in the clear?

Ben Lindstrom mouring at etoh.eviladmin.org
Wed Mar 5 03:16:11 EST 2003

On Mon, 3 Mar 2003, Scott Bolte wrote:

> On Mon, 03 Mar 2003 09:45:05 -0500, James Dennis wrote:
> >
> > Shouldn't the IDS be detecting known attacks, not ssh traffic?
> 	Their concern is that the traffic, which will be remote
> 	service commands by the way, is completely opaque to them.
> 	They feel they need to monitor the internals to make sure
> 	it is appropriate traffic and not an unknown 3rd party using
> 	the cloak of encryption to hide inappropriate actions.

Stupidity comes in many forms.  By weakening their security they think
they are improving it.  I would never go near such a company.  I'm sure
anyone with any amount of common sense can outsmart any NIDS system on the
face of the earth.

> > SSH is not rsh. What users would be comfortable with the traffic being
> > visible?!? If thats what you _really_ want, maybe look into telnet with
> > kerberos.
> 	What I'm trying to do is standardize on ssh, which is fine
> 	with most customers. For those that want to monitor traffic
> 	internals, I want to still use my ssh infrastructure, albeit
> 	with no encryption after the authorization is complete.
> 	I realize it is an odd situation, but I'm not in a position
> 	to refuse the customer's insistence.

<shrug> Do what most sane people do.  Discuss the concept of a basin.  So
at least your encrypted all the way into their network.  Then you can use
whatever bridge method you like from there.

In any respects, RFC strongly discourages no encryption (none
OPTIONAL          no encryption; NOT RECOMMENDED).   So I doubt we will
see -c none for v2 protocol.

- Ben

More information about the openssh-unix-dev mailing list