Subject: Re: FreSSH
To: NetBSD-current Discussion List <current-users@NetBSD.ORG>
From: Bill Studenmund <wrstuden@netbsd.org>
List: current-users
Date: 03/11/2002 13:10:22
On Sat, 9 Mar 2002, Greg A. Woods wrote:

> [ On Saturday, March 9, 2002 at 11:31:41 (-0500), Charles Shannon Hendrix wrote: ]
> > Subject: Re: FreSSH
> >
> > On Fri, Mar 08, 2002 at 02:46:18AM -0500, Michael G. Schabert wrote:
> > >
> > > Hehe, turn off encryption??
> > >
> > > "alias ssh telnet"
> >
> > No... encryption of packets, not the password handshake to establish
> > the connection.
>
> But that's the whole point.  You may as well put your password in the
> clear on the wire if you don't use strong crypto for the entire
> connection.  If someone can see your password as it flies by then they
> can almost certainly hijack your connection.  If they can actually get
> right in the middle of your connection then they can proxy your
> connection, doing things as you, and only showing you what you think you
> should see.  You can't have it half-way and expect it still to be
> secure because it won't be.

Well, you can have strong crypto (using the defenition you used later in
the thread) without encrypting the data connection. Consider two hosts
that use IPSec w/ ESP in transport mode. It's kinda silly to have ssh
encrypt data and then have ESP encrypt it also.

Note also I'm not saying everyone should do that, or that ssh's encryption
should be removed. Just that there can be some safe & sane uses of
cleartext.

Take care,

Bill