Darren Tucker
2024-Jul-28 12:51 UTC
SSH time increased significantly after upgrade to OpenSSH 9.6p1
On Sun, 28 Jul 2024 at 22:34, radiatejava <radiatejava at gmail.com> wrote:> We upgraded sshd in our product from OpenSSH 8.6 to OpenSSH 9,.6. > After the upgrade, clients are seeing significant increase in time to > do ssh to the listener. Normally, a single ssh does not matter much > but some of our workflows involve about 3000 to 4000 ssh connect and > close and this is hitting us hard,Aside: could you use connection multiplexing for this case?> I enabled logging on the server side. I see the most of the increase > is here in receiving 'SSH2_MSG_KEX_ECDH_INIT received'. There is > increase of about 336221 - 150435 = ~185 msec.Here's the reason:> //OpenSSH 9.6p1 logs > Jul 23 17:42:50.150288 ifav87-apic2 sshd[1090464]: debug1: kex: > algorithm: sntrup761x25519-sha512 at openssh.com [preauth]> //OpenSSH 8.6p1 > Jul 23 17:32:24.932126 apic2 sshd[342983]: debug1: kex: algorithm: > curve25519-sha256 [preauth]OpenSSH 9.0 introduced a quantum resistant hybrid kex method as the highest priority method. Quoting https://www.openssh.com/releasenotes.html#9.0: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512 at openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. This is more expensive than the previous defaults. You can disable this if necessary on either the server or client configs, see KexAlgorithms in ssh_config(5) and sshd_config(5). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Damien Miller
2024-Jul-30 00:28 UTC
SSH time increased significantly after upgrade to OpenSSH 9.6p1
On Sun, 28 Jul 2024, Darren Tucker wrote:> OpenSSH 9.0 introduced a quantum resistant hybrid kex method as the > highest priority method. Quoting > https://www.openssh.com/releasenotes.html#9.0: > > * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key > exchange method by default ("sntrup761x25519-sha512 at openssh.com"). > The NTRU algorithm is believed to resist attacks enabled by future > quantum computers and is paired with the X25519 ECDH key exchange > (the previous default) as a backstop against any weaknesses in > NTRU Prime that may be discovered in the future. The combination > ensures that the hybrid exchange offers at least as good security > as the status quo. > > This is more expensive than the previous defaults. You can disable > this if necessary on either the server or client configs, see > KexAlgorithms in ssh_config(5) and sshd_config(5).We should look at using an optimised version of NTRUPrime, at the moment we're just using a generic version that isn't very fast. There's probably a 3-5x saving to be made... -d