Demi M. Obenour
2019-Oct-16 16:12 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On 2019-10-16 08:07, Nico Kadel-Garcia wrote:> > stunnel? https://www.stunnel.org/static/stunnel.html ? >stunnel doesn?t support multiplexing. As I mentioned in another email, my connection may not be over a network at all ? it may be over a serial line, Xen vchan, or other such stream. Using a full VPN is overkill here. The HPN patches for OpenSSH are the closest to a solution I have found, although I might wind up writing my own tool. Would a dedicated protocol, such as yamux, be better for this than SSH? Sincerely, Demi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191016/4d498fc7/attachment-0001.asc>
Peter Moody
2019-Oct-16 18:12 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
> Would a dedicated protocol, such as yamux, be better for this than SSH?I suspect you're more likely to get a yamux tool working than convince the openssh maintainers to add a "-oCiphers=none"
Damien Miller
2019-Oct-17 00:52 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On Wed, 16 Oct 2019, Peter Moody wrote:> > Would a dedicated protocol, such as yamux, be better for this than > > SSH? > > I suspect you're more likely to get a yamux tool working than convince > the openssh maintainers to add a "-oCiphers=none"Yeah, this comes up from time to time. Our position is unchanged - OpenSSH is a secure, encrypted login (etc.) system and offering an unencrypted mode is contrary to our product philosophy. Others are welcome to (and do) add it; it's only a few lines to change. BTW we had already made this decision before the world saw http://www.mindrot.org/junk/ssl-here.jpg and we're even more firm now. If you want to use OpenSSH for your use-case, consider selecting either a fast software implemented cipher like chacha20-poly1305 or one that has hardware acceleration on your platform (usually an AES variant, with AES-GCM best if supported). They are quite low-overhead. Alternately, there's SOCKS. If that's not your thing then PPP over a TCP socket gives you arbitrary network forwarding capabilities and the benefit of a full network stack and associated controls (e.g. you can run it in an isolated routing domain/VRF). -d