Cipher 'none'

Rob Hagopian rob at hagopian.net
Sat Oct 14 16:14:03 EST 2000


8.3MB/s isn't that good when you need to transfer 100GBs of data around on
gigabit ethernet... Secure authentication without session encryption will
always have a legitimate niche amongst some people.

Would this be enough to deter use?
a) a configure option, and
b) a config file option for sshd, and
c) has to be specified on the command line for ssh, and
d) client prints out a warning whenever no cipher is found (unless a
   specific supression flag is given [so it would show up even with -q])

The downside to these protections is it's more code in more places for
such a simple change. I think just a configure option should be enough...

If session encryption is so important why isn't everyone using ssl for
http for the web?
							-Rob

On Sat, 14 Oct 2000, Damien Miller wrote:

> On Fri, 13 Oct 2000, Edward Avis wrote:
> 
> > By making a one-line change it is possible to enable the cipher 'none'
> > in openssh.  But you still have to ask for it explicitly, either by
> > adding it to /etc/ssh/ssh_config or by giving the '-c none' option to
> > ssh.
> > 
> > I think that this 'feature' should be turned back on, because for slow
> > machines or large file transfers, using encryption slows things down a
> > lot.  This means that you have to resort to rcp or ftp to get
> > things working at a reasonable speed, which is a bad habit for the users
> > to get into.
> 
> It is a bad habit to have unencrypted data on your network full stop :)
> 
> Seriously, some of the ciphers offered by SSH2 are pretty fast. These
> are the times it took to scp a 100Mb file to /dev/null via ssh2 over
> localhost:
> 
> P166
> 
> 3des-cbc: 232 sec 431kbps
> blowfish-cbc: 90 sec 1.1Mbps
> arcfour: 71 sec 1.4Mbps
> 
> P3/700
> 
> 3des-cbc: 47 sec 2.1Mbps
> blowfish-cbc: 18 sec, 5.5Mbps
> cast128-cbc: 18 sec, 5.5Mbps
> arcfour: 12 sec 8.3Mbps
> 
> -d
> 
> 






More information about the openssh-unix-dev mailing list