patch adding none cipher/mac for ssh v2

J Raynor raynorj at mn.rr.com
Thu Nov 11 20:54:03 EST 2004


Below is an updated patch, FWIW.

I only found 1 thread about this in the past, but that might be because 
the archive search isn't working well.  For that thread, I didn't see 
any good arguments against adding this.

I'd like to reiterate that, for this patch:

1.  An admin would have to explicitly allow the none cipher/mac by 
modifying the Ciphers and MACs sections of sshd_config.
2.  The client would have to explicitly request the none cipher.  In 
other words, a user couldn't unknowingly/accidentally initiate an 
unencrypted ssh session, even if the ssh server allowed the none cipher.


I certainly see the argument for not allowing the none cipher/mac by 
default.  But if someone with admin rights wants/needs an unencrypted 
login session, you aren't going to prevent them from setting it up by 
disallowing the none cipher.  You'll just force them to use another 
tool, like rsh.




Index: cipher.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/cipher.c,v
retrieving revision 1.71
diff -c -r1.71 cipher.c
*** cipher.c    2004/07/28 09:40:29     1.71
--- cipher.c    2004/11/11 09:07:30
***************
*** 60,70 ****
         u_int   key_len;
         const EVP_CIPHER        *(*evptype)(void);
   } ciphers[] = {
-       { "none",               SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
         { "des",                SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
         { "3des",               SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
         { "blowfish",           SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },

         { "3des-cbc",           SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
         { "blowfish-cbc",       SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
         { "cast128-cbc",        SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
--- 60,70 ----
         u_int   key_len;
         const EVP_CIPHER        *(*evptype)(void);
   } ciphers[] = {
         { "des",                SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
         { "3des",               SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
         { "blowfish",           SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },

+       { "none",               SSH_CIPHER_SSH2, 8, 0, EVP_enc_null },
         { "3des-cbc",           SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
         { "blowfish-cbc",       SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
         { "cast128-cbc",        SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
Index: mac.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/mac.c,v
retrieving revision 1.6
diff -c -r1.6 mac.c
*** mac.c       2003/09/18 13:02:21     1.6
--- mac.c       2004/11/11 09:07:32
***************
*** 45,50 ****
--- 45,51 ----
         { "hmac-md5-96",                EVP_md5, 96 },
         { "hmac-ripemd160",             EVP_ripemd160, 0 },
         { "hmac-ripemd160 at openssh.com", EVP_ripemd160, 0 },
+       { "none",                       EVP_md_null, 0 },
         { NULL,                         NULL, 0 }
   };




Darren Tucker wrote:
> J Raynor wrote:
> 
>> Below is a patch that adds the ability to have a none cipher and mac 
>> for protocol version 2. [..]
>>
>> The actual name of the cipher is 'none2', to distinguish it from the 
>> 'none' cipher available for ssh v1.  The name of the mac is hmac-none.
> 
> 
> Leaving aside whether or not this is a good idea (which has been done to 
> death here and elsewhere many times before, check the archives) if 
> you're going to do this then you ought to either stick with the specs[1] 
> and call them "none" or make them local extensions[2], eg 
> "none2 at your.domain.com".
> 
> [1] http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-19.txt
> (section 6.3 & 6.4)
> 
> [2] 
> http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture-17.txt
> (section 4.2 and 6)
> 




More information about the openssh-unix-dev mailing list