Turning off encryption for ssh daemon v1 on a linux machine

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I need to turn off encryption on a SSH (v1) daemon  on a OpenSSH3.8p1
implementation. How do i go about it? Any code patch available?This is
for v1 and not v2.
here is what i did:
i initialised ssh_cipher_mask t0 SSH_CIPHER_NONE in the
cipher_mask_ssh1() function in cipher.c file.

On compiling and running, output read as follows:
Accepted password for root from port 32789
cipher_get_keyiv: bad cipher 0

When i examined the cipher_set_keyiv() fn, i observed that a case label

for SSH_CIPHER_NONE is absent.

cipher_set_keyiv(CipherContext *cc, u_char *iv)
        Cipher *c = cc->cipher;
        int evplen = 0;

        switch (c->number) {
        case SSH_CIPHER_SSH2:
        case SSH_CIPHER_DES:
                evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
                if (evplen == 0)
                if (c->evptype == evp_rijndael)
                        ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
                if (c->evptype == evp_aes_128_ctr)
                        ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
                        memcpy(cc->evp.iv, iv, evplen);
        case SSH_CIPHER_3DES:
                ssh1_3des_iv(&cc->evp, 1, iv, 24);
                fatal("%s: bad cipher %d", __func__, c->number);



Re: Turning off encryption for ssh daemon v1 on a linux machine

Quoted text here. Click to load it

You would normally run rsh instead of SSH. Why do you want to do this?

Re: Turning off encryption for ssh daemon v1 on a linux machine

Nico Kadel-Garcia sez:
Quoted text here. Click to load it

Because he wants ssh authentication instead of .rhosts.

Lumping authentication and encryption together in one protocol is
the opposite of what properly designed modern servers do. One of
the consquences is that you can't use key-based auth without also
using a cipher.

The problem with null cipher is that it's possible for client and
server to auto-negotiate the null cipher for connection that should
have been encrypted. (That could be remedied by adding Host * blocks
to server-side config so sysadmin could explicitly enable use of
null cipher for selected hosts, but openssh folks seem to believe
most sysadmins are morons who would shoot themselves in both feet
if that option was available to them. Can't blame them, really,
with all the "Linux for dummies in 21 days" crap out there.)

So the proper fix would be to separate authentication and encryption
into different session-layer protocols (having session layer in the
network stack to begin with would help, too).

The convoluted fix would be to exclude null cipher from autoneg
and use it only if explicitly specified by admin in autorized_keys
options or server-side Host * blocks.

The available fix is to buy a faster CPU and live with encryption

Or you can dig out old openssh source -- I think 2.9 still allowed
null cipher -- and back-port null cipher into 3.8.

We're sysadmins. Sanity happens to other people.                  -- Chris King

Site Timeline