Re: Disabling Encryption and just using Port Forwarding? Can that be done?
From: Dimitri Maziuk (dima_at_127.0.0.1)
Date: 05/15/04
- Previous message: Darren Tucker: "Re: Could not load program /usr/local/sbin/sshd"
- In reply to: zantar_at_verizon.net: "Re: Disabling Encryption and just using Port Forwarding? Can that be done?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 15 May 2004 00:54:44 +0000 (UTC)
zantar@verizon.net sez:
> Replying to myself here:
>
> Searched long and wide and talked to a few people. Its not a practical
> request. Why care about login security and then let the data go
> plaintext. I guess s/key or something might be something to consider.
>
> I can't find anyway to turn off the encryption and I dont know why
> anyone (except this client) would ever want to.
Using key-based authenticaton is very handy for scripts -- you
don't have to muck around with expect or whatever and work around
tty resets.
Passwordless logins are handy on an intranet and if someone manages
to install a sniffer, passwords are safe. But there's little reason
to encrypt intranet traffic.
There's little reason to encrypt downloads from your public CVS
server and there are very good reasons to use SSH instead of CVS
pserver for authentication.
And so on. IOW, there are good reasons to turn off encryption.
Problem is, client and server negotiate the cipher, and it's
possible that they'll settle on null cipher and turn off data
encryption when they shouldn't. So if you want to use null
cipher you should enable it only for specific hosts and make
sure the it's disabled by default. IOW, you have to know what
you're doing.
Main difference between unix and macwindows used to be that
unix users were supposed to know what they're doing. Nowadays
unix users are presumed to be morons just like the rest of us,
and they should be Saved From Themselves(tm). So its best to
remove Dangerous Features(tm) lest they shoot themselves in
both feet.
The best part is that unix sysadmins, who possibly aren't
complete morons and could configure their servers properly,
cannot do so. Ciphers (at least in OpenSSH) are set on client
side only. There are no "Host ..." blocks in sshd_config, nor
"ciphers=" option in authorized_keys.
HTH, HAND
Dima
--
Politics and religion are just like software and hardware. They all suck, the
documentation is provably incorrect, and all the vendors tell lies.
-- Andrew Dalgleish
- Previous message: Darren Tucker: "Re: Could not load program /usr/local/sbin/sshd"
- In reply to: zantar_at_verizon.net: "Re: Disabling Encryption and just using Port Forwarding? Can that be done?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
