[Bug 877] ssh 3.8.1p1 client cannot disable encryption with "-c none"

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Jun 7 19:01:27 EST 2004


http://bugzilla.mindrot.org/show_bug.cgi?id=877





------- Additional Comments From dtucker at zip.com.au  2004-06-07 19:01 -------
> If the sshd daemon allows the none cipher even when the sysadmin configures
> it not to, that's not the fault of the none cipher - that's a bug in the
> implementation.

Precisely!  You do not have implementation bugs in features you do not implement.

> draft-ietf-secsh-transport-14.txt shows that the MAC is also optional.

... and that the "none" MAC is "NOT RECOMMENDED".

Also: you mention that you're using a VPN: are you sure there are no sniffers
between the VPN concentrator and the SSH server?  A significant portion of
attacks are "inside jobs".

Anyway, have you *measured* a difference?  I get wire speed on my long-obsolete
170MHz SparcStation on its 10Mbit/s segment:

$ scp -o MACs=hmac-md5-96 -o Ciphers=arcfour linux-2.5.0.tar.bz2 platypus:/tmp/
linux-2.5.0.tar.bz2                           100%   23MB   1.0MB/s   00:23

The CPU is not saturated (and more CPU is spent on network IO than crypto:
CPU states: 22.3% idle, 38.4% user, 39.4% kernel,  0.0% iowait,  0.0% swap)




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list