Red Hat Bugzilla – Bug 428333
should enable cipher "none"
Last modified: 2008-10-01 07:13:13 EDT
Several years ago, someone requested in bug #111641 that the "none" cipher be
enabled, to allow encryption-free SSH connections to be established.
It was closed with WONTFIX, with the comment, "If your computer is fast enough
to run X, it's fast enough to run arcfour."
I think that comment, and the decision not to support plaintext connections, is
outdated, and I would like to ask for that decision to be reconsidered.
I tested the data transfer speed when using SSH with the arcfour cipher between
two servers on a gigabit LAN with 2.4GHz CPUs. The transfer speed turns out to
be around 30MB/s.
30MB/s is fine when you're transferring over most WAN connections or when
you're transferring across a 1Mbit network or even a 10Mbit network. In these
scenarios, the SSH transfer speed is still faster than the network speed, so
SSH introduces no delay in the transmission of the data.
However, gigabit copper is becoming ubiquitous, and even fiber to the desktop
isn't so uncommon anymore. Every computer at my company has a gigabit NIC
plugged into a gigabit switch. In a gigabit environment, an encrypted SSH
transfer using 2.4GHz CPUs, which are hardly slow or obsolete, takes 70% less
time than an unecrypted transfer would take.
When I'm transferring a big chunk of data across my corporate LAN, I don't need
for the data to be encrypted. All I need is a way to initiate the connection
securely. SSH can provide that, but it sucks big time that after the
connection is initiated, I have to sit around twiddling my thumbs waiting for a
transfer that could be going more than three times as fast if it weren't for
the unnecessary encryption.
Could you report your findings into the upstream bugzilla?
Done, but I hope you will consider fixing this bug even if the OpenSSH team
declines to do so.
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
I am not willing to break security expectances of ssh protocol when upstream decided that they will not do it either.