Re: sshd1 allows unencrypted sessions regardless of server policy

[markus.friedl () INFORMATIK UNI-ERLANGEN DE (Markus Friedl)]

On Tue, Dec 14, 1999 at 02:35:05PM -0500, Michael H. Warfield wrote:
> On Tue, Dec 14, 1999 at 04:43:32PM +0100, Markus Friedl wrote:
> > Because passphrase-less hostkeys are 'encrypted' with cipher "none"
> > the code for this cipher is always compiled into the programs.  This
> > way the client is free to choose "none" and no server will complain.
>
>       AFAIK...  The passpharse-less host keys are encrypted with 3-DES
> and no password. [...]

Please look at the source.
E.g. ssh-1.2.12/authfile.c reads:

        int save_private_key(
          [...]
          if (strcmp(passphrase, "") == 0)
            cipher_type = SSH_CIPHER_NONE;

Older versions may have used a real cipher with key "".

Note also that SSH_CIPHER_NONE is also used for 'encryption' before
client and server have exchanged the session-key.

Many of you disagree with me and are saying that this cipher-none
issue is a non-issue.

But once more I like to point out that this a security problem in
a wider sense as it affects your security _policy_.  If you decide
to remove telnet/rlogin and configure ssh with '--without-none' you
still have not disabled cleartext logins.  This is not about
bufferoverflows or exploits, this is about your security _policy_,
so it is still a security issue.

Moreover, if a third party manages to replace the (unauthenticated)
server messages "I will accept only ciphers IDEA and 3DES" with "I
will accept only cipher NONE" you don't even need a malicious client.