patch adding none cipher/mac for ssh v2

Douglas E. Engert deengert at anl.gov
Fri Nov 12 08:00:20 EST 2004



Jefferson Ogata wrote:
> J Raynor wrote:
> 
>> As a final note, I'd like to point out that kerberos allows the user 
>> to choose whether their session is encrypted or not.  So aside from 
>> the few people who may have argued the point on the openssh mailing 
>> lists, there are groups of people out there who want this choice.
> 
> 
> SSL2 and SSL3 also support a null cipher.
> 
> Does anyone else see the irony of what's going on here?

Not really. The Kerberos case and ssl2 or ssl3 with NULL are more
historical then a current requirment. It comes from when sending
encrypted data could have been against the law in some places,
or the need to authenticate but not encrypt was common.

But today, not only do you have to authenticate, but you need to
protect the integrity of the session to help avoid hijacking
as well as protecting the data.

So why do you need ssh without encryption? Won't telnet or rsh
do just as well? Most Kerberos shops I know of are turning off
the Kerberized BSD applications and using ssh with gssapi instead.

So although I don't see the need for a null encryption, you claim
there are groups of people out there that want the choice. But Why?


> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444




More information about the openssh-unix-dev mailing list