On Thu, May 05, 2016 at 10:49:19AM -0400, Greg Troxel wrote:
> Last I looked, there was the possibility of some fs data to travel
> unencrypted if it was not associated with a logged-in user.  This is in
> my view totally not ok.

It is encrypted but there is no shared secret between the client and the
server during the connection setup handshake, so the session key is
encrypted with a commonly known 'null key'. If you capture the INIT2
packet from the server to the client you can trivially decrypt it and
get the session key.

But.. why would anybody go through that amount of trouble if he can
connect to the server without authentication himself and get those same
files anyway? Clearly their ACL must allow System:AnyUser access,
otherwise the user would have had to be logged-in.

Jan