On Sat, Mar 09, 2002 at 09:49:02PM -0500, Sean Finney wrote:

> > Use encryption for the data in those cases you cite.
> 
> an idea--
> 
> if *not* having encryption is such a big deal, why not just add a new
> cypher protocol 'cleartext', which still provides mac authentication and
> password encryption, without wasting the unwanted cycles on encryption?
> Then again, I'm running my box on a P90 w12MB RAM, and it doesn't seem
> to get in the way of life too much to have it all encrypted. But anyway
> I imagine that it wouldn't be too difficult--just take some other cypher
> and take out the code the encrypts stuff.  Then again, I'm more or less
> speaking ex rectum, as it were...

Well, that's the point of discussion after all...

> > In cases like that, you only need your login information encrypted,
> > the rest simply doesn't matter.
> 
> yeah, but if it were to be used for ssh logins as opposed to file
> transfers, I could see the average user forgetting which terminals were
> 'real' ssh and which ones were cleartext when ssh'ing to another machine.

Yes, but since you wouldn't default to non-encrypted connections, it's
unlikely they would be using it anyway.  

There are a number of ways to screw yourself using ssh and thinking you
are secure, so I don't see this as a big problem.

The sourceforge crack done a few months ago was done despite the
encryption, so it's no garantee anyway.  If you really want to be secure,
you never hop, you always start from a secured location.

-- 
UNIX/Perl/C/Pizza__________________________________shannon@widomaker.com