Hallo to everyone! First I would like to thank everybody for making a free implementation of ssh available. I am administrating the network at the computer science department of the University of Munich. Here, rcp (as in many other places, I guess) is banned for security reasons. I, aswell as others, use scp regulary to copy files from one machine to another. The problem is, that the transfer rate is nowhere near what an 100Mbps connection would give. To and from my P5-233 laptop gets only about 350KBps. Between P6-450 machines the performance is about double. In contrast if I used ftp, I'd get much much more. I checked and noticed, that ssh used up all the CPU power for encrypting the data. I remember ssh-nonfree having a cipher 'none' which does not encrypt the actual data. But it's not available in OpenSSH up to 1.2.1pre25 . I checked the source and all the infrastructure seemed to be there, so I added support for "-c none". See the attached patch. It has been tested between two up-todate Debian Linux (potato) boxes runngin Linux 2.2.13 and Linux 2.3.32 with openssh-1.2.1pre25. On the above said laptop transfer rates of 3MBps was obtained (loopback test) Because authentication is still done using RSA keys, there should be no huge security impacts. Also "-c none" would only be explictly specified by the user when transfering large files. As I am not subscribed to the list, I'd appreciate if any replied could be Cc:-ed to me. Thanks. -- Oliver M. Bolzer oliver at gol.com GPG (PGP) Fingerprint = 621B 52F6 2AC1 36DB 8761 018F 8786 87AD EF50 D1FF -------------- next part -------------- Only in openssh-1.2.1pre25: Makefile diff -ur openssh-1.2.1pre25.orig/cipher.c openssh-1.2.1pre25/cipher.c --- openssh-1.2.1pre25.orig/cipher.c Tue Dec 14 23:34:31 1999 +++ openssh-1.2.1pre25/cipher.c Fri Jan 14 14:37:16 2000 @@ -148,6 +148,7 @@ unsigned int mask = 0; mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ mask |= 1 << SSH_CIPHER_BLOWFISH; + mask |= 1 << SSH_CIPHER_NONE; return mask; } diff -ur openssh-1.2.1pre25.orig/ssh.c openssh-1.2.1pre25/ssh.c --- openssh-1.2.1pre25.orig/ssh.c Wed Dec 29 00:17:09 1999 +++ openssh-1.2.1pre25/ssh.c Fri Jan 14 14:40:50 2000 @@ -106,7 +106,8 @@ fprintf(stderr, " -c cipher Select encryption algorithm: " "``3des'', " - "``blowfish''\n"); + "``blowfish'', " + "``none''\n"); fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n");
On Fri, Jan 14, 2000 at 03:58:47PM +0100, Oliver M . Bolzer wrote:> Hallo to everyone! > First I would like to thank everybody for making a free implementation > of ssh available.> I am administrating the network at the computer science department of > the University of Munich. Here, rcp (as in many other places, I guess) > is banned for security reasons. I, aswell as others, use scp regulary > to copy files from one machine to another. > The problem is, that the transfer rate is nowhere near what an 100Mbps > connection would give. To and from my P5-233 laptop gets only about > 350KBps. Between P6-450 machines the performance is about double. In contrast > if I used ftp, I'd get much much more. I checked and noticed, that ssh > used up all the CPU power for encrypting the data.If you are concerned with performance, I'd suggest using "des". You are getting "trivial" encryption; i.e. not enough encryption to stop someone from seeing the data given some time, but sufficient encryption to keep "most" people from becoming the man in the middle and changing your data in-transit. Even so, do NOT pass ANY sensitive data over des, since it can be easily cracked within a couple of weeks.> I remember ssh-nonfree having a cipher 'none' which does not encrypt > the actual data. But it's not available in OpenSSH up to 1.2.1pre25 . > I checked the source and all the infrastructure seemed to be there, so > I added support for "-c none". See the attached patch. > It has been tested between two up-todate Debian Linux (potato) boxes > runngin Linux 2.2.13 and Linux 2.3.32 with openssh-1.2.1pre25. > On the above said laptop transfer rates of 3MBps was obtained (loopback > test) > > Because authentication is still done using RSA keys, there should be > no huge security impacts. Also "-c none" would only be explictly specified > by the user when transfering large files.-c none is still a large security exposure. It is the encryption that keeps someone from waiting until after keys pass and then immediately step in and either alter data or intercept passwords. I'm not even sure that I'd support this, but the only way this should go into the tree is with a "--with-none" option for configure that is by default "without". David -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. "It is no great thing to be humble when you are brought low; but to be humble when you are praised is a great and rare accomplishment." St. Bernard
It's been suggested to me that I use blowfish if I am more concerned with speed than with security. Wasn't there some weakness in the SSH protocol if the null cipher were supported in the endpoints even if the user doesn't choose it? It may have been a vulnerability to a man-in-the-middle attack, I'm not sure. Phil