[Bug 877] ssh 3.8.1p1 client cannot disable encryption with "-c none"
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Jun 8 05:41:04 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=877
------- Additional Comments From mohit_aron at hotmail.com 2004-06-08 05:41 -------
> My view is if a company wants to hack mac=none, ciphers=none into their
> SSH code. That's fine. Not as if it is that hard or complex.
I took a look at the way my own sysadmins have added the "-c none". Seems
like they've had to add a "none2" for SSH2 (as I mentioned in my initial
posting) to get around the fact that "ciphers" in "cipher.c" already
contains a "none" for SSH1. Looks pretty arcane to me. The sysadmins probably
wanted to minimize code changes. Had the developers supported a "none" in
SSH2, that would have been a much better job. In addition, I don't see
support for a "hmac=none" in our code - possibly they didn't realize that
hmac also eats away the performance. So having users do these code changes
is certainly far from optimal.
> > 10 Mbps networks hardly imposed any ovhd on the CPUs - my company is
> > starting to use 1 Gbps networks - there the ovhd can be significant.
>
> Sounds like you really want to invest in encryption hardware. Sokeris group
> sells a nice PCI/PCMCIA solution that runs under BSD/Linux for a very nice
> price. I've seen a few gigabit cards with encryption chips right on it.
> Which would be another good path to look at. That would make more pratical
> sense than gutting security from an application.
I thought ssh encryption works at user-level - how would having encryption
in the network cards help ? It might help for VPNs where the IPsec resides
in the kernel. Anyhow, with tight IT budgets these days, a solution that
requires expensive hardware for hundreds of machines is not viable.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list