Date: Wed, 11 Nov 2015 17:49:52 +0200 From: Daniel Kalchev <daniel@digsys.bg> To: Jason Birch <jbirch@jbirch.net> Cc: John-Mark Gurney <jmg@funkthat.com>, Ben Woods <woodsb02@gmail.com>, Bryan Drewery <bdrewery@freebsd.org>, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: OpenSSH HPN Message-ID: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> In-Reply-To: <CAA=KUhs9g9gajxwLFBgn2nNhnn4oQSZ56FRVC%2BPde4ZZO=g7Ug@mail.gmail.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <CAOc73CAHQ0FRPES7GrM6ckkWfgZCS3Se7GFUrDO4pR_EMVSvZQ@mail.gmail.com> <20151111075930.GR65715@funkthat.com> <CAA=KUhs9g9gajxwLFBgn2nNhnn4oQSZ56FRVC%2BPde4ZZO=g7Ug@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It is my understanding, that using the NONE cypher is not identical to = using =E2=80=9Cthe old tools=E2=80=9D (rsh/rlogin/rcp). When ssh uses the NONE cypher, credentials and authorization are still = encrypted and verified. Only the actual data payload is not encrypted. Perhaps similar level of security could be achieved by =E2=80=9Cthe old = tools=E2=80=9D if they were by default compiled with Kerberos. Although, = this still requires building additional infrastructure. I must have missed the explanation. But why having a NONE cypher = compiled in, but disabled in the configuration is a bad idea? Daniel > On 11.11.2015 =D0=B3., at 10:55, Jason Birch <jbirch@jbirch.net> = wrote: >=20 > On Wed, Nov 11, 2015 at 6:59 PM, John-Mark Gurney <jmg@funkthat.com> = wrote: >> If you have a trusted network, why not just use nc? >=20 > Perhaps more generally relevant is that ssh/scp are *waves hands* = vaguely > analogous to secure versions of rsh/rlogin/rcp. I'd think that most = cases > of "I wanted to send files and invoke some commands on a remote = machine, > and due to $CIRCUMSTANCE I don't need or desire encryption" are = covered > by the older, also standard tools. Additionally, rsync can use rsh as = its > transport, for users who desire more advanced behaviour. ssh just = seems > to have more support; Installation will ask you if you'd like to run = sshd > (not rshd), ssh is rather ubiquitous as a way of "doing a thing = remotely" > (even in Windows soon!), etc. This is a good default to have; the > overhead of security is tiny in nearly all cases. >=20 > It would seem then that the extra complexity of maintenance = development > in supporting NONE in base doesn't really grant us any additional > functionality in most cases. It's just more 'obvious'. > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?546376BD-A2E7-4B73-904E-4F33DD82401E>