Cipher 'none'
Rob Hagopian
rob at hagopian.net
Sat Oct 14 16:14:03 EST 2000
8.3MB/s isn't that good when you need to transfer 100GBs of data around on
gigabit ethernet... Secure authentication without session encryption will
always have a legitimate niche amongst some people.
Would this be enough to deter use?
a) a configure option, and
b) a config file option for sshd, and
c) has to be specified on the command line for ssh, and
d) client prints out a warning whenever no cipher is found (unless a
specific supression flag is given [so it would show up even with -q])
The downside to these protections is it's more code in more places for
such a simple change. I think just a configure option should be enough...
If session encryption is so important why isn't everyone using ssl for
http for the web?
-Rob
On Sat, 14 Oct 2000, Damien Miller wrote:
> On Fri, 13 Oct 2000, Edward Avis wrote:
>
> > By making a one-line change it is possible to enable the cipher 'none'
> > in openssh. But you still have to ask for it explicitly, either by
> > adding it to /etc/ssh/ssh_config or by giving the '-c none' option to
> > ssh.
> >
> > I think that this 'feature' should be turned back on, because for slow
> > machines or large file transfers, using encryption slows things down a
> > lot. This means that you have to resort to rcp or ftp to get
> > things working at a reasonable speed, which is a bad habit for the users
> > to get into.
>
> It is a bad habit to have unencrypted data on your network full stop :)
>
> Seriously, some of the ciphers offered by SSH2 are pretty fast. These
> are the times it took to scp a 100Mb file to /dev/null via ssh2 over
> localhost:
>
> P166
>
> 3des-cbc: 232 sec 431kbps
> blowfish-cbc: 90 sec 1.1Mbps
> arcfour: 71 sec 1.4Mbps
>
> P3/700
>
> 3des-cbc: 47 sec 2.1Mbps
> blowfish-cbc: 18 sec, 5.5Mbps
> cast128-cbc: 18 sec, 5.5Mbps
> arcfour: 12 sec 8.3Mbps
>
> -d
>
>
More information about the openssh-unix-dev
mailing list