Clear-Text Patch? was: Re: OpenSSH 5.1: call for testing

rapier rapier at psc.edu
Wed Jul 23 06:48:44 EST 2008


Dag-Erling Smørgrav wrote:
> rapier <rapier at psc.edu> writes:
>> Dag-Erling Smørgrav <des at des.no> writes:
>>> Last I checked, it's still there; you just need to add "none" to the
>>> list of accepted ciphers in myproposal.h.
>> The problem is that just adding 'none' back pushes all interaction into 
>> the clear [...]
> 
> No, adding "none" to the list makes it available, but not the default -
> unless you add it to the front of the list.

My apologies for not being clear. Let me try again.

If you simply add 'none' to the list and both sides of the connection 
agree to use none then all transactions for that connection, including 
authentication, happen in the clear. This is obviously unacceptable. 
This is why we developed the cipher switching patch. This allows for 
cipher used to be change midstream - which allows for encrypted 
authentication and unencrypted bulk data transport.







More information about the openssh-unix-dev mailing list