enabling "none" cipher
Chris Rapier
rapier at psc.edu
Tue Jan 13 05:27:04 AEDT 2026
On 12/19/25 02:07, Nacho via openssh-unix-dev wrote:
> Hello,
>
> I'm trying to enable the "none" cipher in OpenSSH 10.2 compiled for FreeBSD with
> no success so far.
>
> Is it possible that there is no native support for "none" cipher in OpenSSH and
> this is just implemented by third party patches?
>
> This is my impression after looking at the FreeBSD patches for OpenSSH and
> OpenSSH source code and docs, but just wanted to confirm it before trying to fix
> it.
>
> Maybe there has been some change in 10.x OpenSSH that breaks the "none" cipher
> patch that used to work for 9.x?
>
> This patch is called "extra-patch-hpn" in FreeBSD, still applies cleanly, but
> after compiling it doesn't seem to work, the cipher "none" is not recognized no
> matter what.
Hey there, that's part of my HPN-SSH patch set.
The none cipher makes use of midstream cipher switching. In other words,
public keys are used for authentication and then, once the connection is
established, we immediately force a rekey and only provide the "none"
cipher as an option for the new private key encryption method.
Additionally, this *only* works when we don't spawn a TTY so it's
restricted (without unlikely acrobatics) to bulk data transfers. Also,
both sides of the connection *must* allow for the use of the none cipher
- so you'll need HPN-SSH (with none enabled in the config) on both sides
of the connection. You cannot use none otherwise.
All that being said, I don't maintain the FreeBSD patch so I don't know
what they are doing or where they are in terms of conformance to the
work I'm doing. That is available from
https://github.com/rapier1/hpn-ssh/ if you feel like trying to build it
from source.
One last thing: The none cipher is really only useful when you know the
session is being CPU limited due to encryption. If you aren't pushing
multiple Gbps it's unlikely that's the case on more modern processors.
It's also only really for moving non-sensitive data (public data sets
without PPI for example). YMMV and use at your own risk.
Chris
More information about the openssh-unix-dev
mailing list