SSH Null Cipher? Yes, please!

ixs' Vodkamelone

Du weisst, dass Blogs doch irgendwie zu Dir durchdringen, wenn Du beim Blick auf dein Mobiltelefon glaubst Dein Provider hieße "Vodkamelone".
     -- Nilsk Ketelsen im IRC

Suche

Wo ist ixs?


Aktuelle Einträge

How to recover an ASUS WL-330N3G mobile access point
Donnerstag, Februar 23 2012

A little shell spinner
Dienstag, September 13 2011

FrOSCon
Sonntag, August 28 2011

Fedora 15, not as bad as people claim...
Mittwoch, März 9 2011

Monitoring a Snom phone with MRTG through SNMP
Freitag, Januar 28 2011

Link List

CCC
Fedora/RHEL
Mein privater Linkdump
People
Planets

Archive

Mai 2012
April 2012
März 2012
Das Neueste ...
Älteres ...

Letzte Google Suche

eeupdate.exe intel
vodkamelone
Busybox Rittal master
centos 5 memory requirements
intel e1000 firmware fix
wodka wassermelone real
h1 wodka boot
virtualbox usb add
ixs droge
rb532 openwrt kernel
telefoncode siemens m65
fedora diskboot.img
eeupdate.exe intel
telefoncode
mikrotik routerboard dd
routerboard linux
rittal cmc
openwrt rb433
dd-wrt+e1000+voip
tasca vodka melone
openwrt rb750 reset configuration
ixs
Telefoncode von Siemens handy
blöd dir deine meinung
Minimum Red Hat Package
mrtg asiemens
Telefon Code
mrtg thro
raid recovery
s65 Telefon-Code
install openwrt 433
e1000 intel
rb532a ddwrt
telefoncode siemens m65
siemens s65 telefon code gesperrt
openwrt fedora 15
what is a moderate automatic preference
openwrt scp no space
raid recovery
c65 adressbuch löschen
telefon code siemens sk65
redhat minimum packages
telefoncode
VoVPN-Gateway passwort
virtualbox fedora 14
openwrt format nand routerboard
kickstart disable ipv6
1
remove dbus rhel
c75 telefoncode zurücksetzen

Blog abonnieren

Kategorien



Alle Kategorien

Last played...


Song: Wavesamples & Soul (7-16-2009)
Artist: Jon Zdanis
21. November 2011, 01:25

Song: Cafe Del Mar
Artist: Nacho Sotomayor
1. November 2011, 20:34

Song: Music For A Found Harmonium
Artist: Penguin Cafe Orchestra
1. November 2011, 20:31

Song: Easter Song
Artist: A Man Called Adam
1. November 2011, 20:23

Song: Second Hand
Artist: Underworld
1. November 2011, 20:14

20. Mai 2012, 20:25

Hosting von

bawue-net

Impressum
< Fun with vmware-server | Nicht nur die T-Com hasst mich... >

Sonntag, 11. März 2007

SSH Null Cipher? Yes, please!

Warren wondered whether it would make any sense including a version of scp or ssh which do not encrypt their traffic on the network.

As far as I can see, such a tool would indeed be useful for many tasks. "brokensh" might not be that useful, but "brokencp" is certainly useful.
Consider the roadwarrior with his notebook who is transferring some data from the server to his notebook. He is already encrypting the data-traffic by using openvpn or ipsec. The network between his tunnel-terminator and the server can be considered secure. He would save CPU-time by not having to encrypt the traffic twice.
Or the system-administrator who has to copy a whole tree of files, including permissions from one machine to another. He could just call tar c /dir | ssh root@server tar xv to achieve this. If the machines are directly connected the transfer is probably faster, as the data does not need to be encrypted. Generally, I do help myself in this case by using netcat, but still.

I for one do like the idea of selectivly disabling encryption for scp as long as the authentication against the remote system is secure, that is no cleartext password crosses the wire. I do not care if the attacker sniffing my line is able to reconstruct the latest Fedora ISO image which I'm copying, I do care that he is not able to sniff my password.

Geschrieben von andreas in Fedora um 19:55 | Kommentar (1) | Trackbacks (0)
Als PDF ansehen: Dieser Artikel | Dieser Monat | Vollständiges Blog

Trackbacks
Trackback für spezifische URI dieses Eintrags

Keine Trackbacks

Kommentare
Ansicht der Kommentare: (Linear | Verschachtelt)

Personally, I would never trust a tunnel to a "secure network", because I don't belive in such beasts. Proper usage of end-to-end security systems like SSH, Kerberos and SSL ensures that data is encrypted and also authenticated all the way from the source to the destination.

Sure, some would agree that an VPN or IPSEC is good enough, but I think it's not really worth it to give people that option. A better soulution is to integrate the end-to-end security protocol with the tunneling protocol.

That is, you start by letting SSH or whatever do its job and secure the connection. Then, if it detects that there's a connection between host A and B and both hosts are doing both IPSEC and SSH, then the SSH context can be used to do an extra verification of the IPSEC keys and then SSH can stop encrypting.

Of course, that doesn't work when the tunnel endpoint isn't at your SSH server, but as I said, I don't trust "secure networks" anyway. ;)
#1 Alexander Boström am 12.03.2007 10:07 (Antwort)

Kommentar schreiben

Sie können [geshi lang=LANG][/lang] Tags verwenden um Quellcode abhängig von der gewählten Programmiersprache einzubinden
Umschließende Sterne heben ein Wort hervor (*wort*), per _wort_ kann ein Wort unterstrichen werden.
Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss um dieses Verfahren anzuwenden.
CAPTCHA
 
 

Als PDF ansehen: Dieser Artikel | Dieser Monat | Vollständiges Blog