Roy S. Rapoport writes:
> I've got a user who would like me to enable encryption type none so
> they can do faster file copies via scp.
Do not enable none in the ssh 1.* servers or clients It will open the
server to some attacks even if nobody is using it. If I remember
correctly in the ssh 1.* protocol the list of offered ciphers is not
authenticated, so the attacker can remove all other ciphers from the
list and force you down to none encryption if it is allowed by the
client.
I think there was also some other attacks against the none cipher, but
I cannot remember them now (none has been disabled for more than 2.5
years now because of those problems...)
Cut & paste from the README.CIPHERS file:
----------------------------------------------------------------------
NONE
====
No encryption at all. This cipher is intended only for testing, and
should not be enabled for normal use. Using no encryption makes SSH
vulnerable to network-level attacks (such as connection hijacking).
There are also more subtle ways to exploit using no encryption, and
servers should not allow such connections at all except when testing
the protocol.
...
--
[EMAIL PROTECTED] Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
