[EXT] Re: enabling "none" cipher
Darren Tucker
dtucker at dtucker.net
Tue Jan 13 08:48:44 AEDT 2026
On Tue, 13 Jan 2026 at 08:08, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu>
wrote:
> Isn't “none” cipher still authenticated, for both login and traffic?
The cipher itself is not, but there is a separate Message Authentication
Code (MAC) on each SSH packet. The spec also allows the MAC to be "none"
but OpenSSH doesn't and offhand I don't know of an implementation that does.
> Don’t some organization care for authenticity, though not (that much) for
confidentiality
Without SSH encryption, the passwords in password based logins (including
keyboard-interactive) are also in plain text. This is probably why even
the HPN folks don't start with none, but instead start with a cipher then
later rekey to "none".
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list