Bug 428333

Summary: should enable cipher "none"
Product: [Fedora] Fedora Reporter: Jonathan Kamens <jik>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-01 11:13:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Kamens 2008-01-10 21:45:09 UTC 
Several years ago, someone requested in bug #111641 that the "none" cipher be 
enabled, to allow encryption-free SSH connections to be established.

It was closed with WONTFIX, with the comment, "If your computer is fast enough 
to run X, it's fast enough to run arcfour."

I think that comment, and the decision not to support plaintext connections, is 
outdated, and I would like to ask for that decision to be reconsidered.

I tested the data transfer speed when using SSH with the arcfour cipher between 
two servers on a gigabit LAN with 2.4GHz CPUs.  The transfer speed turns out to 
be around 30MB/s.

30MB/s is fine when you're transferring over most WAN connections or when 
you're transferring across a 1Mbit network or even a 10Mbit network.  In these 
scenarios, the SSH transfer speed is still faster than the network speed, so 
SSH introduces no delay in the transmission of the data.

However, gigabit copper is becoming ubiquitous, and even fiber to the desktop 
isn't so uncommon anymore.  Every computer at my company has a gigabit NIC 
plugged into a gigabit switch.  In a gigabit environment, an encrypted SSH 
transfer using 2.4GHz CPUs, which are hardly slow or obsolete, takes 70% less 
time than an unecrypted transfer would take.

When I'm transferring a big chunk of data across my corporate LAN, I don't need 
for the data to be encrypted.  All I need is a way to initiate the connection 
securely.  SSH can provide that, but it sucks big time that after the 
connection is initiated, I have to sit around twiddling my thumbs waiting for a 
transfer that could be going more than three times as fast if it weren't for 
the unnecessary encryption.
Comment 1 Tomas Mraz 2008-01-10 23:24:03 UTC 
Could you report your findings into the upstream bugzilla?
http://bugzila.mindrot.org/
Comment 2 Jonathan Kamens 2008-01-10 23:47:20 UTC 
Done, but I hope you will consider fixing this bug even if the OpenSSH team 
declines to do so.
Comment 3 Bug Zapper 2008-05-14 04:44:36 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Tomas Mraz 2008-10-01 11:13:13 UTC 
I am not willing to break security expectances of ssh protocol when upstream decided that they will not do it either.