SSH Null Cipher? Yes, please!

ixs' Vodkamelone

Du weisst, dass Blogs doch irgendwie zu Dir durchdringen, wenn Du beim Blick auf dein Mobiltelefon glaubst Dein Provider hieße "Vodkamelone".
     -- Nilsk Ketelsen im IRC

Suche


Aktuelle Einträge

Avocent PM webinterface issues
Samstag, September 7 2019

The missing man page: cyc_ipmicmd - Avocent IPMI power control
Donnerstag, April 30 2015

Better debugging of dracut and systemd inside the initramfs
Freitag, Januar 24 2014

dss_cli, an Open-E Data Storage Server command line interpreter
Donnerstag, Mai 16 2013

Automatischer Login für Deutsche Telekom Hotspots
Sonntag, Juni 10 2012

Link List

CCC
Fedora/RHEL
Mein privater Linkdump
People
Planets

Archive

Juni 2020
Mai 2020
April 2020
Das Neueste ...
Älteres ...

Letzte Google Suche

??????? ????????? ??? 74
blog.vodkamelone.de
shrek rapidshare.com
shrek rapidshare.com
siemens s65 telefoncode entsperren
how to open pendrive in virtual box fedora
Für immer Shrek rapidshare.com
harddisk image linux kpartx
siemens handy telefoncode entsperren
siemens handy zu 65 entsperren kostenlos
lounge
7526 snom mib
how to install openwrt on arc os
lounge
elmeg ICT VoIP-VPN Gateway passwort
telefon-code siemens
ethtool eeprom
asus 330 hotspot
rittal
how mount centos img file kpartx
virtualbox user group fedora
mikrotik routerboard 433 software
how to access asus 330n3g when it is in ap mode
zontag mag boot usb
HP Display Beleuchtung
how does a lounge look like
dd-wrt mmc formatieren
RB 433 openwrt
openwrt vlan e1000
dhcpd3 rb-433
update intel nic firmware memory stick
telefoncode entsperren siemens
kpartx loop
test https://hotspot.t-mobile.net/wlan/welcome.do
"download firmware openwrt e1000"
telefoncode berechnen siemens
RB433 openwrt add vlan card
elmeg voip-vpn gateway ports
virtualbox Ued fedora
reset intel NIC
nic eeprom
wie bekomme ich den gerätecode siemens
siemens telefoncode eingeben
ip reset mikrotik rb433 l
routerboard 433ah mikrotik
ethtool intel magic
mikrotik 433ah dd wrt
WL-330N3G_1.0.2.0.trx openwrt

Blog abonnieren

Kategorien



Alle Kategorien

Last played...


Song: Numbers (DJ-Kicks) (Extended Vocal Mix)
Artist: Booka Shade
7. Februar 2015, 02:32

Song: Numbers (DJ-Kicks) (Club Mix)
Artist: Booka Shade
7. Februar 2015, 02:24

Song: Estoril
Artist: Booka Shade
7. Februar 2015, 02:17

Song: Numbers (DJ-Kicks) (Extended Vocal Mix)
Artist: Booka Shade
7. Februar 2015, 02:12

Song: Numbers (DJ-Kicks) (Extended Vocal Mix)
Artist: Booka Shade
12. Januar 2015, 00:43

18. August 2015, 15:15

Hosting von

bawue-net

Impressum
< Fun with vmware-server | Nicht nur die T-Com hasst mich... >

Sonntag, 11. März 2007

SSH Null Cipher? Yes, please!

Warren wondered whether it would make any sense including a version of scp or ssh which do not encrypt their traffic on the network.

As far as I can see, such a tool would indeed be useful for many tasks. "brokensh" might not be that useful, but "brokencp" is certainly useful.
Consider the roadwarrior with his notebook who is transferring some data from the server to his notebook. He is already encrypting the data-traffic by using openvpn or ipsec. The network between his tunnel-terminator and the server can be considered secure. He would save CPU-time by not having to encrypt the traffic twice.
Or the system-administrator who has to copy a whole tree of files, including permissions from one machine to another. He could just call tar c /dir | ssh root@server tar xv to achieve this. If the machines are directly connected the transfer is probably faster, as the data does not need to be encrypted. Generally, I do help myself in this case by using netcat, but still.

I for one do like the idea of selectivly disabling encryption for scp as long as the authentication against the remote system is secure, that is no cleartext password crosses the wire. I do not care if the attacker sniffing my line is able to reconstruct the latest Fedora ISO image which I'm copying, I do care that he is not able to sniff my password.

Geschrieben von andreas in Fedora um 19:55 | Kommentar (1) | Trackbacks (0)
Als PDF ansehen: Dieser Artikel | Dieser Monat | Vollständiges Blog

Trackbacks
Trackback für spezifische URI dieses Eintrags

Keine Trackbacks

Kommentare
Ansicht der Kommentare: (Linear | Verschachtelt)

Personally, I would never trust a tunnel to a "secure network", because I don't belive in such beasts. Proper usage of end-to-end security systems like SSH, Kerberos and SSL ensures that data is encrypted and also authenticated all the way from the source to the destination.

Sure, some would agree that an VPN or IPSEC is good enough, but I think it's not really worth it to give people that option. A better soulution is to integrate the end-to-end security protocol with the tunneling protocol.

That is, you start by letting SSH or whatever do its job and secure the connection. Then, if it detects that there's a connection between host A and B and both hosts are doing both IPSEC and SSH, then the SSH context can be used to do an extra verification of the IPSEC keys and then SSH can stop encrypting.

Of course, that doesn't work when the tunnel endpoint isn't at your SSH server, but as I said, I don't trust "secure networks" anyway. ;)
#1 Alexander Boström am 12.03.2007 10:07 (Antwort)

Kommentar schreiben

Sie können [geshi lang=LANG][/lang] Tags verwenden um Quellcode abhängig von der gewählten Programmiersprache einzubinden
Umschließende Sterne heben ein Wort hervor (*wort*), per _wort_ kann ein Wort unterstrichen werden.
Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss um dieses Verfahren anzuwenden.
CAPTCHA
 
 

Als PDF ansehen: Dieser Artikel | Dieser Monat | Vollständiges Blog