SSH Null Cipher? Yes, please!

Du weisst, dass Blogs doch irgendwie zu Dir durchdringen, wenn Du beim Blick auf dein Mobiltelefon glaubst Dein Provider hieße "Vodkamelone".
-- Nilsk Ketelsen im IRC

Suche

Aktuelle Einträge

Better UX on the Nagios web interface using the corewindow parameter

Sonntag, Februar 25 2024

Avocent PM webinterface issues

Samstag, September 7 2019

The missing man page: cyc_ipmicmd - Avocent IPMI power control

Donnerstag, April 30 2015

Better debugging of dracut and systemd inside the initramfs

Freitag, Januar 24 2014

dss_cli, an Open-E Data Storage Server command line interpreter

Donnerstag, Mai 16 2013

Link List

CCC

enno
fh
hohjg
nibbler
Rince

Fedora/RHEL

Seth Vidal

Mein privater Linkdump

GPL-Violations Blog
RJ45 Crossover
RJ45 Straight-Through

People

dth
dyfa
El Schwenne
flawed
hds
HE
isotopp
Mara
Olaf
Qky
shrek[]
thh
ToJe
treibholz
Zaph for President
Zugschlus

Planets

Datenhaufen
Fedora People
Planet Isotopp

Blog abonnieren

RSS 1.0 feed

RSS 2.0 feed

ATOM 0.3 feed

ATOM 1.0 feed

RSS 2.0 Kommentare

Last played...

i_x_s

Song: Numbers (DJ-Kicks) (Extended Vocal Mix)
Artist: Booka Shade

7. Februar 2015, 02:32

Song: Numbers (DJ-Kicks) (Club Mix)
Artist: Booka Shade

7. Februar 2015, 02:24

Song: Estoril
Artist: Booka Shade

7. Februar 2015, 02:17

Song: Numbers (DJ-Kicks) (Extended Vocal Mix)
Artist: Booka Shade

7. Februar 2015, 02:12

Song: Numbers (DJ-Kicks) (Extended Vocal Mix)
Artist: Booka Shade

12. Januar 2015, 00:43

18. August 2015, 15:15

Hosting von

Impressum

< Fun with vmware-server | Nicht nur die T-Com hasst mich... >

Sonntag, 11. März 2007

SSH Null Cipher? Yes, please!

Warren wondered whether it would make any sense including a version of scp or ssh which do not encrypt their traffic on the network.

As far as I can see, such a tool would indeed be useful for many tasks. "brokensh" might not be that useful, but "brokencp" is certainly useful.
Consider the roadwarrior with his notebook who is transferring some data from the server to his notebook. He is already encrypting the data-traffic by using openvpn or ipsec. The network between his tunnel-terminator and the server can be considered secure. He would save CPU-time by not having to encrypt the traffic twice.
Or the system-administrator who has to copy a whole tree of files, including permissions from one machine to another. He could just call tar c /dir | ssh root@server tar xv to achieve this. If the machines are directly connected the transfer is probably faster, as the data does not need to be encrypted. Generally, I do help myself in this case by using netcat, but still.

I for one do like the idea of selectivly disabling encryption for scp as long as the authentication against the remote system is secure, that is no cleartext password crosses the wire. I do not care if the attacker sniffing my line is able to reconstruct the latest Fedora ISO image which I'm copying, I do care that he is not able to sniff my password.

Geschrieben von andreas in Fedora um 19:55 | Kommentar (1) | Trackbacks (0)
Als PDF ansehen: Dieser Artikel | Dieser Monat | Vollständiges Blog

Trackbacks

Trackback für spezifische URI dieses Eintrags

Keine Trackbacks

Kommentare

Ansicht der Kommentare: (Linear | Verschachtelt)

Personally, I would never trust a tunnel to a "secure network", because I don't belive in such beasts. Proper usage of end-to-end security systems like SSH, Kerberos and SSL ensures that data is encrypted and also authenticated all the way from the source to the destination.

Sure, some would agree that an VPN or IPSEC is good enough, but I think it's not really worth it to give people that option. A better soulution is to integrate the end-to-end security protocol with the tunneling protocol.

That is, you start by letting SSH or whatever do its job and secure the connection. Then, if it detects that there's a connection between host A and B and both hosts are doing both IPSEC and SSH, then the SSH context can be used to do an extra verification of the IPSEC keys and then SSH can stop encrypting.

Of course, that doesn't work when the tunnel endpoint isn't at your SSH server, but as I said, I don't trust "secure networks" anyway. ;)

#1 Alexander Boström am 12.03.2007 10:07 (Antwort)

Kommentar schreiben

Name
E-Mail
Homepage
Antwort zu
Kommentar	Sie können [geshi lang=LANG][/lang] Tags verwenden um Quellcode abhängig von der gewählten Programmiersprache einzubinden Umschließende Sterne heben ein Wort hervor (wort), per _wort_ kann ein Wort unterstrichen werden. Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet. Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss um dieses Verfahren anzuwenden. Hier die Zeichenfolge der Spamschutz-Grafik eintragen:
	Daten merken?

Als PDF ansehen: Dieser Artikel | Dieser Monat | Vollständiges Blog

SSH Null Cipher? Yes, please!

ixs' Vodkamelone

Suche

Aktuelle Einträge

Link List

Archive

Letzte Google Suche

Blog abonnieren

Kategorien

Last played...

Hosting von

Sonntag, 11. März 2007

SSH Null Cipher? Yes, please!