enabling "none" cipher
Philip Hands
phil at hands.com
Wed Jan 14 20:30:05 AEDT 2026
hvjunk <hvjunk at gmail.com> writes:
>> On 14 Jan 2026, at 08:32, Jochen Bern <Jochen.Bern at binect.de> wrote:
>>>
>> So, *still* comparable to telnet/ftp, if you use e.g. PAM to add a round of challenge-response auth to the logins ... :-3
>
> Hope fully you aren’t using Debian or Ubuntu or any other RPM based
> distro like Alma/rocky and god forbid FreeBSD with it’s tar files for
> your servers/services…. as they are all distributing their software
> via ftp/telnet/http equivalent services…. just using a pam type
> challenge-response to authenticate the packages’ authenticity at the
> endpoints are what the sender intended to send…
If you'd like to inform yourself about how things _actually_ work, I
would suggest starting here:
https://manpages.debian.org/buster/apt/apt-secure.8.en.html
(That's Debian specific, but AFAIK all the other people you seem to be
trying to defame have thought about this problem too, and probably came
up with a solution about as long ago as we did)
The verification scheme described there has been in place since apt 0.6,
which was released in 2003, as you can confirm here:
https://tracker.debian.org/media/packages/a/apt/changelog-3.1.13
BTW If you find mention of MD5 in any of these documents, and think
"Aha!" you should be aware that while we include MD5s for backwards
compatibility, we've been using SHA256 for ages.
Confirming the checksums of the files at rest, and confirming the
checksum files via a chain of trust through those files back to keys
that only exist in an HSM renders the security of the transport
mechanism totally irrelevant for this use case.
Here are some of the files doing the work:
http://ftp.uk.debian.org/debian/dists/stable/Release
http://ftp.uk.debian.org/debian/dists/stable/Release.gpg
http://ftp.uk.debian.org/debian/dists/stable/main/binary-all/Packages.gz
If you decide to visit those URLs via https, you'll see that the
certificates don't match.
That's because Debian's mirror network does not belong to Debian, but
rather to hundreds of organisations and individuals over which Debian
has approximately no control.
In the case of the (linked to) UK mirror, the server belongs to me (and
has done since it was established in the 90's), so it has a hands.com
certificate, because I can reasonably vouch for it whereas Debian cannot.
A few people like to access it via https://debian.hands.com/ and get a
tiny extra feel-good factor, but their security still rests on the chain
of trust in the files themselves, because oddly enough I don't actually
check the integrity of the files that arrive on my server in the early
hours of the morning, so if they were somehow tampered with in transit,
getting them via https isn't going to help even slightly (it just proves
you're talking to my server when you do it, for whatever that is worth).
Cheers, Phil.
--
Philip Hands -- https://hands.com/~phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20260114/44d09818/attachment.asc>
More information about the openssh-unix-dev
mailing list