Clear-Text Patch? was: Re: OpenSSH 5.1: call for testing
rapier
rapier at psc.edu
Wed Jul 23 06:48:44 EST 2008
Dag-Erling Smørgrav wrote:
> rapier <rapier at psc.edu> writes:
>> Dag-Erling Smørgrav <des at des.no> writes:
>>> Last I checked, it's still there; you just need to add "none" to the
>>> list of accepted ciphers in myproposal.h.
>> The problem is that just adding 'none' back pushes all interaction into
>> the clear [...]
>
> No, adding "none" to the list makes it available, but not the default -
> unless you add it to the front of the list.
My apologies for not being clear. Let me try again.
If you simply add 'none' to the list and both sides of the connection
agree to use none then all transactions for that connection, including
authentication, happen in the clear. This is obviously unacceptable.
This is why we developed the cipher switching patch. This allows for
cipher used to be change midstream - which allows for encrypted
authentication and unencrypted bulk data transport.
More information about the openssh-unix-dev
mailing list