search for: kex_default_comp

Compressing data before encryption may be dangerous, for example CRIME, BREACH and VORACLE. Can compression be disabled by default in OpenSSH, only being enabled if user requests it? Another scenario when SSH compression may be bad is use of commands like tar cz | ssh root at remote "tar xz", which seem pretty common. If SSH compression is enabled, data will be (wastefully) compressed

...fine COMP_ZSTD 3 +#define COMP_ALL_C 4 +#define COMP_ALL_S 5 #define CURVE25519_SIZE 32 diff --git a/myproposal.h b/myproposal.h index ee6e9f7415261..a015190b35d9f 100644 --- a/myproposal.h +++ b/myproposal.h @@ -88,7 +88,7 @@ "rsa-sha2-512," \ "rsa-sha2-256" -#define KEX_DEFAULT_COMP "none,zlib at openssh.com" +#define KEX_DEFAULT_COMP "none,zstd at breakpoint.cc,zlib at openssh.com" #define KEX_DEFAULT_LANG "" #define KEX_CLIENT \ diff --git a/packet.c b/packet.c index 3f64d2d32854a..a39b8d7fbd963 100644 --- a/packet.c +++ b/packet.c @@ -79,6...

I added ZSTD support to OpenSSH roughly three years ago and I've been playing with it ever since. The nice part is that ZSTD achieves reasonable compression (like zlib) but consumes little CPU so it is unlikely that compression becomes the bottle neck of a transfer. The compression overhead (CPU) is negligible even when uncompressed data is tunneled over the SSH connection (SOCKS proxy, port

I hacked zstd support into OpenSSH a while ago and just started to clean it up in the recent days. The cleanup includes configuration support among other things that I did not have. During testing I noticed the following differences compared to zlib: - highly interactive shell output (as in refreshed at a _very_ high rate) may result in higher bandwidth compared to zlib. Since zstd is quicker

...1.12 myproposal.h --- myproposal.h 5 Mar 2001 15:56:16 -0000 1.12 +++ myproposal.h 22 Oct 2001 18:42:06 -0000 @@ -34,7 +34,11 @@ "hmac-md5,hmac-sha1,hmac-ripemd160," \ "hmac-ripemd160 at openssh.com," \ "hmac-sha1-96,hmac-md5-96" +#ifdef WITH_COMPRESSION #define KEX_DEFAULT_COMP "none,zlib" +#else +#define KEX_DEFAULT_COMP "none" +#endif #define KEX_DEFAULT_LANG "" Index: packet.c =================================================================== RCS file: /home/markus/cvs/ssh/packet.c,v retrieving revision 1.70 diff -u -r1.70 packet.c -...

I added ZSTD support to OpenSSH roughly over a year and I've been playing with it ever since. The nice part is that ZSTD achieves reasonable compression (like zlib) but consumes little CPU so it is unlikely that compression becomes the bottle neck of a transfer. The compression overhead (CPU) is negligible even when uncompressed data is tunneled over the SSH connection (SOCKS proxy, port

...NCRYPT \ + "aes128-cbc,3des-cbc," \ + "aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se," \ + "aes128-ctr,aes192-ctr,aes256-ctr" + #define KEX_DEFAULT_MAC \ + "hmac-sha1," \ + "hmac-sha1-96" +#endif + #define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib" #define KEX_DEFAULT_LANG "" --- openssh-4.7p1/readconf.h Mon Dec 17 03:35:58 2007 +++ openssh-4.7p1/readconf.h Mon Dec 17 03:53:57 2007 @@ -120,6 +120,7 @@ char *local_command; int permit_local_command; + int fips_mode; } Options...