patch adding none cipher/mac for ssh v2
J Raynor
raynorj at mn.rr.com
Thu Nov 11 18:00:10 EST 2004
Below is a patch that adds the ability to have a none cipher and mac for
protocol version 2. By default, sshd will not allow these to be used;
an admin will have to explicitly allow them in the Ciphers and MACs
section of sshd_config. Additionally, the client will not use these
unless explicitly instructed to by the user.
The actual name of the cipher is 'none2', to distinguish it from the
'none' cipher available for ssh v1. The name of the mac is hmac-none.
The reasoning for having these is that there are times when a user might
not want their session encrypted. For instance, when using ssh over an
already secured interface (IPsec), through another ssh tunnel, or when
doing port forwarding over the loopback interface. It can be worthwhile
to save on cpu usage in these and other cases.
Index: cipher.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/cipher.c,v
retrieving revision 1.71
diff -c -r1.71 cipher.c
*** cipher.c 2004/07/28 09:40:29 1.71
--- cipher.c 2004/11/11 01:07:02
***************
*** 65,70 ****
--- 65,71 ----
{ "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
+ { "none2", SSH_CIPHER_SSH2, 8, 0, EVP_enc_null },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
{ "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
Index: mac.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/mac.c,v
retrieving revision 1.6
diff -c -r1.6 mac.c
*** mac.c 2003/09/18 13:02:21 1.6
--- mac.c 2004/11/11 01:07:03
***************
*** 45,50 ****
--- 45,51 ----
{ "hmac-md5-96", EVP_md5, 96 },
{ "hmac-ripemd160", EVP_ripemd160, 0 },
{ "hmac-ripemd160 at openssh.com", EVP_ripemd160, 0 },
+ { "hmac-none", EVP_md_null, 0 },
{ NULL, NULL, 0 }
};
More information about the openssh-unix-dev
mailing list