Cipher 'none'

Ben Lindstrom mouring at pconline.com
Sat Oct 14 18:48:39 EST 2000


Can I suggest middle ground here.. 

If there is such an overwelming demand for Cipher 'none' then maybe
someone should create a patch and submit it to be included in
contrib/ section.  

It keeps people from using -c none without thought, and lets those
who wish to accept the risk have an easy way of doing so.

- Ben

On Sat, 14 Oct 2000, Rob Hagopian wrote:

> 8.3MB/s isn't that good when you need to transfer 100GBs of data around on
> gigabit ethernet... Secure authentication without session encryption will
> always have a legitimate niche amongst some people.
> 
> Would this be enough to deter use?
> a) a configure option, and
> b) a config file option for sshd, and
> c) has to be specified on the command line for ssh, and
> d) client prints out a warning whenever no cipher is found (unless a
>    specific supression flag is given [so it would show up even with -q])
> 
> The downside to these protections is it's more code in more places for
> such a simple change. I think just a configure option should be enough...
> 
> If session encryption is so important why isn't everyone using ssl for
> http for the web?
> 							-Rob
> 
> On Sat, 14 Oct 2000, Damien Miller wrote:
> 
> > On Fri, 13 Oct 2000, Edward Avis wrote:
> > 
> > > By making a one-line change it is possible to enable the cipher 'none'
> > > in openssh.  But you still have to ask for it explicitly, either by
> > > adding it to /etc/ssh/ssh_config or by giving the '-c none' option to
> > > ssh.
> > > 
> > > I think that this 'feature' should be turned back on, because for slow
> > > machines or large file transfers, using encryption slows things down a
> > > lot.  This means that you have to resort to rcp or ftp to get
> > > things working at a reasonable speed, which is a bad habit for the users
> > > to get into.
> > 
> > It is a bad habit to have unencrypted data on your network full stop :)
> > 
> > Seriously, some of the ciphers offered by SSH2 are pretty fast. These
> > are the times it took to scp a 100Mb file to /dev/null via ssh2 over
> > localhost:
> > 
> > P166
> > 
> > 3des-cbc: 232 sec 431kbps
> > blowfish-cbc: 90 sec 1.1Mbps
> > arcfour: 71 sec 1.4Mbps
> > 
> > P3/700
> > 
> > 3des-cbc: 47 sec 2.1Mbps
> > blowfish-cbc: 18 sec, 5.5Mbps
> > cast128-cbc: 18 sec, 5.5Mbps
> > arcfour: 12 sec 8.3Mbps
> > 
> > -d
> > 
> > 
> 
> 






More information about the openssh-unix-dev mailing list