-c none option

Dan Kaminsky dan at doxpara.com
Sat Dec 8 10:05:21 EST 2001


Mark--

    The SSH2 protocol separated authentication and message integrity from
encryption.  As such,  OpenSSH *should* be supporting None as an encryption
type while enforcing authenticated packets w/ hmac-md5 or something similar.
It isn't.

    Null Encryption mode was likely ruled out from the days of SSH1, where
going without encryption meant the authentication verified at the beginning
of a session did not necessarily carry over to future packets.  Essentially,
an attacker could just sit around waiting for an authentication to occur,
and then hijack the connection.  Without encryption in place, there'd be
nothing to stop it.

    That's changed now, of course, but the block on null crypto stands.
That might change, but in the meantime I suggest using "-c arcfour" for
maximum performance.  RC4 is a ludicrously simple and fasst algorithm to
compute against, so hopefully you'll start approaching the speeds you're
used to.

    I've actually been getting steadily more concerned with SSH's
performance.  FTP runs at about 3MB/s, standard SCP at 1MB/s, and SFTP at
100KB/s(!!!).  Now, I emphasize that this is just in my personal
environment, but still, something ain't right.

    What backup software are you using, if I may ask?

Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com





More information about the openssh-unix-dev mailing list