Bug 111641

Summary: cipher none request
Product: [Fedora] Fedora Reporter: Maciej Żenczykowski <zenczykowski>
Component: opensshAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 1CC: mitr
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://membled.com/work/patches/openssh/
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-08-25 18:11:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Maciej Żenczykowski 2003-12-07 14:59:39 UTC
Version-Release number of selected component
(although not really applicable):
openssh-3.6.1p2-19

Description of problem:
It would be useful to support cipher 'none', this is useful for local
secure network X forwarding (not all computers are fast enough to
support real time X with ciphers enabled) and for scp of non-vital
files.  I.e. authentication could be ciphered, but the actual data
could be sent in the clear.

This is probably just a matter of applying something like the
following patch.  The cipher still needs to be selected on the
commandline - but that's just fine.

diff -ru openssh-3.0.2p1/cipher.c openssh-3.0.2p1-new/cipher.c
--- openssh-3.0.2p1/cipher.c	Fri Sep 14 03:47:34 2001
+++ openssh-3.0.2p1-new/cipher.c	Wed Feb 13 15:15:04 2002
@@ -419,6 +419,7 @@
 	u_int mask = 0;
 	mask |= 1 << SSH_CIPHER_3DES;           /* Mandatory */
 	mask |= 1 << SSH_CIPHER_BLOWFISH;
+	mask |= 1 << SSH_CIPHER_NONE;
 	if (client) {
 		mask |= 1 << SSH_CIPHER_DES;
 	}
@@ -459,7 +460,9 @@
 	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
 	     (p = strsep(&cp, CIPHER_SEP))) {
 		c = cipher_by_name(p);
-		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
+		/* SSH_CIPHER_NONE can be used by both protocol 1 and 2 */
+		if (c == NULL || (c->number != SSH_CIPHER_SSH2
+				  && c->number != SSH_CIPHER_NONE)) {
 			debug("bad cipher %s [%s]", p, names);
 			xfree(ciphers);
 			return 0;

Comment 1 Damien Miller 2004-08-25 01:01:26 UTC
I recommend against this. See discussion on openssh-unix-dev@ mailing
list for details.

If your computer is fast enough to run X apps, then it is fast enough
to run a lightweight cipher, such arcfour. 

Comment 2 Maciej Żenczykowski 2004-08-25 18:11:53 UTC
Didn't know about the arcfour cipher, maybe it should be mentioned
somewhere (like in the man page next to -c)?  How is arcfour
comparable in speed to 'none'?