OpenSSH with 'none' cipher (after reading bug #877)
Luciano Bello
luciano at debian.org
Fri Feb 27 07:50:26 EST 2009
El Jue 26 Feb 2009, Yaniv Aknin escribió:
> However, It seems that a solution I'm implementing may require cleartext
> transport due to regulation / auditing compliance reasons. Turns out that
> the government suits of some countries mandated that some institutions are
> required to keep a cleartext copy of all communications ever sent from their
> premises for a while, and I can't use my SSH based solution for these
> customers (Please, I don't want to argue about whether it's a good or a bad
> idea).
What about put a copy of the sshd's private exponent in the sniffer/auditor machine? Whit this, the auditor can recalculate the share secret and decipher the communication. Of course, this broke PFS in DHE but looks like a better solution than just use plain text.
luciano
PD: I'm in favor of implement 'none' cipher but with the 'performance' reasons.
More information about the openssh-unix-dev
mailing list