[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Future of kerberised telnet, login, rsh, ftp?

Ken Hornstein wrote:
>> It is another thing I prefer about ssh, security happens at the lowest
>> possible layer, so there is no chance an attacker can inject unwanted
>> data into the data stream.
> Ah, that's one thing I remember now; it wasn't possible to turn encryption
> _off_ in ssh.  We force people to use encryption for interactive sessions,
> but don't require it for bulk data transfer.  It's easy to segment this
> out with different utilities (rcp versus rsh required writing some extra
> code, but it wasn't hard).  Encryption sucks when you're rcp'ing around
> a few terabytes (and yes, we have people that do that all of the time).

Good point, I run into this pretty often. (My brother complains about it 
all the time, working with many terabytes of science/image data.) But 
the fix is easy, just add a "null" cipher spec and select it with "ssh 
-c". Probably smarter in some cases is to add a checksum-only cipher so 
that you can still protect against hijacking.

   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support