Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)

Damien Miller djm at mindrot.org
Thu Oct 17 11:52:16 AEDT 2019


On Wed, 16 Oct 2019, Peter Moody wrote:

> > Would a dedicated protocol, such as yamux, be better for this than
> > SSH?
>
> I suspect you're more likely to get a yamux tool working than convince
> the openssh maintainers to add a "-oCiphers=none"

Yeah, this comes up from time to time.

Our position is unchanged - OpenSSH is a secure, encrypted login (etc.)
system and offering an unencrypted mode is contrary to our product
philosophy. Others are welcome to (and do) add it; it's only a few lines
to change.

BTW we had already made this decision before the world saw
http://www.mindrot.org/junk/ssl-here.jpg and we're even more firm now.

If you want to use OpenSSH for your use-case, consider selecting either
a fast software implemented cipher like chacha20-poly1305 or one that
has hardware acceleration on your platform (usually an AES variant, with
AES-GCM best if supported). They are quite low-overhead.

Alternately, there's SOCKS. If that's not your thing then PPP over a
TCP socket gives you arbitrary network forwarding capabilities and the
benefit of a full network stack and associated controls (e.g. you can
run it in an isolated routing domain/VRF).

-d



More information about the openssh-unix-dev mailing list