If you don\'t use encryption for the session, then you
will be vulnerable to session hijacking as there isn\'t
any barrier to someone injecting packets into your
session or overtaking it entirely. You end up
authenticating only the initial handshake, but the rest
of the traffic can come from anywhere :-)
-Jason
Quoting \"Ng, Kenneth (US)\" <[EMAIL PROTECTED]>:
> I have a question. Is there a way to not do data
transfer encrypted, but
> still do authentication encrypted? I have some big
databases that I want
> to
> copy from machine to machine. The data is not
confidential, but I want to
> make sure that it comes from someone with the right
private key. And, will
> such a session be vunerable to session hijacking?
>
> > -----Original Message-----
> > From: Theo Van Dinter [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, August 05, 1999 9:22 AM
> > To: Tim Chao
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Help on disable encription on SSH1?
> >
> > | In the manpage of ssh, the client is able to ask
for a non-encryption
> > | session.
> >
> > I\'ll ask the obvious -- why do you want to do this?
> >
> > | \"Selected cipher type none not supported by
server.\"
> > | The ssh1 I am using is ssh1.2.27. I assume I am
doing something
> > | wrong here because if the client has an option to
disable the
> encryption
> > | the server should have the option too.
> >
> > by default (because it\'s insecure), the server will
not allow
> > non-encrypted connections. you\'ll have to recompile
the server to
> > explicitly allow that.
> >
> > but if you don\'t want encryption, why are you using
SSH? use RSH.
> >
> > --
> > Randomly Generated Tagline:
> > \"Those who do not archive the past are condemned to
retype it!\"
> > - Garfinkel and Spafford
> >
>
*****************************************************************************
> The information in this email is confidential and may
be legally
> privileged.
> It is intended solely for the addressee. Access to
this email by anyone
> else
> is unauthorized.
>
> If you are not the intended recipient, any disclosure,
copying,
> distribution
> or any action taken or omitted to be taken in reliance
on it, is prohibited
> and may be unlawful. When addressed to our clients any
opinions or advice
> contained in this email are subject to the terms and
conditions expressed
> in
> the governing KPMG client engagement letter.
>
*****************************************************************************
>
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
