No warning message is displayed for "none" cipher

Chris Rapier rapier at
Sat Jan 6 06:26:39 EST 2007

Damien Miller wrote:
> On Fri, 5 Jan 2007, ponraj wrote:
>> Hello all,
>> I tried to connect to the server that supports protocol 1:
>> # ssh -1 -o "cipher none" remotehost
>> <No valid SSH1 cipher, using 3des instead>
> openssh does not support the "none" cipher. Any traces of it in the code
> are legacy and/or paranoia.
> There are 3rd party patches that add support for the "none" cipher. We
> do not recommend their use, and obviously don't support them. This has
> been discussed ad nauseum on this mailing list - please have a look at
> the archives.

While I perfectly understand and respect why you'd not recommend the use 
of the NONE cipher I do feel that the means by which it is implemented 
in the HPN patch is a good compromise position. By maintaining full 
encryption through the authentication process it, I feel at least, 
provide sufficient security for users who are aware of what their needs 
on. Being that the use of the NONE cipher in the case of the HPN patch 
is limited to bulk data transfers I also think that further mitigates 
the inherent security risk associated with unencrypted data transfers. 
Lastly, maintaining MAC on the packets does provide protection that a 
typical 'NONE' session under V1 does not (at least as far as I am 
aware). The impact that enabling the NONE cipher has on throughput is 
considerable and when you are moving 15 terabytes cross country on a 
daily basis with scp these sort of performance improvements matter.


More information about the openssh-unix-dev mailing list