Disabling Encryption and just using Port Forwarding? Can that be done?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
We have a customer who wishes to disable the SSH Encryption in some
instances but just allow the port forwarding functionality. in SSH
running on a SUN Server.

Can this be done? And can you point me to a doc or the right direction
for this?


Re: Disabling Encryption and just using Port Forwarding? Can that be done?

Replying to myself here:

Searched long and wide and talked to a few people. Its not a practical
request. Why care about login security and then let the data go
plaintext. I guess s/key or something might be something to consider.

I can't find anyway to turn off the encryption and I dont know why
anyone (except this client) would ever want to.

Re: Disabling Encryption and just using Port Forwarding? Can that be done?

zantar@verizon.net sez:
Quoted text here. Click to load it

Using key-based authenticaton is very handy for scripts -- you
don't have to muck around with expect or whatever and work around
tty resets.

Passwordless logins are handy on an intranet and if someone manages
to install a sniffer, passwords are safe. But there's little reason
to encrypt intranet traffic.

There's little reason to encrypt downloads from your public CVS
server and there are very good reasons to use SSH instead of CVS
pserver for authentication.

And so on. IOW, there are good reasons to turn off encryption.

Problem is, client and server negotiate the cipher, and it's
possible that they'll settle on null cipher and turn off data
encryption when they shouldn't. So if you want to use null
cipher you should enable it only for specific hosts and make
sure the it's disabled by default. IOW, you have to know what
you're doing.

Main difference between unix and macwindows used to be that
unix users were supposed to know what they're doing. Nowadays
unix users are presumed to be morons just like the rest of us,
and they should be Saved From Themselves(tm). So its best to
remove Dangerous Features(tm) lest they shoot themselves in
both feet.

The best part is that unix sysadmins, who possibly aren't
complete morons and could configure their servers properly,
cannot do so. Ciphers (at least in OpenSSH) are set on client
side only. There are no "Host ..." blocks in sshd_config, nor
"ciphers=" option in authorized_keys.

Politics and religion are just like software and hardware. They all suck, the
documentation is provably incorrect, and all the vendors tell lies.
                                                            -- Andrew Dalgleish

Site Timeline