[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suggested way to ssh into obsolete devices (with old ssh crypto)?

On Tue, Jul 06, 2021 at 11:06:22PM -0400, Stefan Monnier wrote:
> > I'm aware of that. My critique was specific to the "we take it out
> > because it's dangerous to the user" part.
> That's often an explanation but not the main motivation.

That would be even worse :)

The reason I'm "in" free software comes from the realisation that the
programmer has often "too much" power over their users. Imposing policy
decisions on the users ("this way of rendering fonts looks ugly", "that
sort of key management is insecure") is unavoidable: we do take many
of those decisions at a subconscient level. But I think as programmers
we have the responsibiblty to avoid that the best we can.

> For the `none` cipher, I think it was, tho.
> IIRC the problem was that using the `none` cipher causes the
> authentication to be exposed in a way that is worse than using Telnet:
> with Telnet you only expose the data you send to the wire, whereas with
> SSH's `none` cipher you ended up exposing the data plus your
> (valued) credentials.

AFAIK Telnet also sends the login sequence in the clear over the
network (to be more precise: my dusty memory says that Telnet isn't
even in the auth business -- it connects you to something which
does the authentication, all in the clear). Unless you are talking
about RFC2491 and friends -- I doubt they have seen widespread
use, SSH having taken over in the 2000s anyway.

> > I'm torn on this one... Sometimes I've the impression that this leads to
> > asocial software [...]

> Indeed, it has its downsides.

Interesting times :)

 - t

Attachment: signature.asc
Description: Digital signature

Reply to: