[Bug 877] ssh 3.8.1p1 client cannot disable encryption with "-c none"

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jun 8 03:44:41 EST 2004


------- Additional Comments From mohit_aron at hotmail.com  2004-06-08 03:44 -------

> Precisely!  You do not have implementation bugs in features you do not 
> implement.

But you can always also have bugs in features that you do implement and that 
compromise security. Not implementing a feature for fear of bugs is hardly
an argument.

> Also: you mention that you're using a VPN: are you sure there are no sniffers
> between the VPN concentrator and the SSH server?  A significant portion of
> attacks are "inside jobs".

There might be. By choosing the none cipher, the user has explicitly 
indicated that privacy is not of concern here - e.g. he might be simply doing
an scp of some huge binary log from his home to his office machine. Doesn't 
matter if anyone is able to sniff out the data on the inside. Leave the choice
to the user - don't force it on him. 

> Anyway, have you *measured* a difference?  I get wire speed on my 
> long-obsolete 170MHz SparcStation on its 10Mbit/s segment:
> $ scp -o MACs=hmac-md5-96 -o Ciphers=arcfour linux-2.5.0.tar.bz2 platypus:/tmp/
> linux-2.5.0.tar.bz2                           100%   23MB   1.0MB/s   00:23
> The CPU is not saturated (and more CPU is spent on network IO than crypto:
> CPU states: 22.3% idle, 38.4% user, 39.4% kernel,  0.0% iowait,  0.0% swap)

10 Mbps networks hardly imposed any ovhd on the CPUs - my company is starting
to use 1 Gbps networks - there the ovhd can be significant. Also Solaris has a 
high ovhd network stack - even though you're doing considerable work at user
level, the kernel still comes out having high ovhd. Try a Linux/BSD stack 

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list