LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-26-2005, 06:51 PM   #1
HaPagan
LQ Newbie
 
Registered: Mar 2005
Location: Greece
Distribution: Mandriva 2005LE
Posts: 21

Rep: Reputation: 15
SSH - Problem with ciphers


I have installed properly OpenSSH in two PCs which have Mandriva 2005 and SUSE 9.2 . I want to evaluate the performance of the network in relation to the cipher being used. I have also managed to use either password and public/private keys authentications.

The problem is that the transfer time is the same when I use a cipher or not ... I cant explain this...

I always apply the following steps to change a cipher :

1. Open the ssh_config (client properties)
2. Go to line "Cipher 3des"
3. Edit the existing cipher with the preffered one
4. Save the file

I use sftp username@server to connect to the server and the get command to download the file to the client.
 
Old 11-27-2005, 07:18 AM   #2
DaveG
Member
 
Registered: Nov 2001
Location: London, UK
Distribution: Fedora 16
Posts: 160

Rep: Reputation: 41
Make sure you know what you are measuring. It may be that the overhead of the cipher is small in relation to the network transfer time - all of the cipher work could be done while waiting to send or receive the next packet. The overhead may only show up under high system load - which will make measurements even more difficult to reproduce.

Also check which cipher is actually negotiated between the client and server.
 
Old 11-27-2005, 11:03 AM   #3
HaPagan
LQ Newbie
 
Registered: Mar 2005
Location: Greece
Distribution: Mandriva 2005LE
Posts: 21

Original Poster
Rep: Reputation: 15
You have a point there but I have already tested OpenSSH with various ciphers (AES, 3DES, Blowfish, Arcfour) in WindowsXP using cygwin and everything worked fine !! But now I have to make the measurements in Linux environment...

The problem seems to be the non application of the selected cipher algorithm. It is not logical the fact that the transfer time is the same using a cipher or not...

Any proposition???

There is a way to verify which cipher algorithms is being used? Something like a log?

Last edited by HaPagan; 11-27-2005 at 12:01 PM.
 
Old 11-27-2005, 04:47 PM   #4
DaveG
Member
 
Registered: Nov 2001
Location: London, UK
Distribution: Fedora 16
Posts: 160

Rep: Reputation: 41
You could try running the ssh server deamon in debug mode with -d. This stops it from backgrounding itself, quits after one connection session and outputs verbose debug information to syslog. That should provide details on which ciphers get selected etc.

As for performance, as far as I know, for short connections, most time is spent generating and exchanging session keys and negotiating client/server settings. Have you considered comparing sftp to ftp? At least you can guarantee that there will be no encryption overhead with ftp.

I did a quick search: Apparently, blowfish is about 11 times faster than 3DES but no-one can show test resuts to prove it makes ANY difference over a network! There may not be any differences to measure (under Linux).

For a definitive answer, I suggest the OpenSSH mailing lists: http://www.openssh.org/list.html
 
Old 11-27-2005, 07:04 PM   #5
HaPagan
LQ Newbie
 
Registered: Mar 2005
Location: Greece
Distribution: Mandriva 2005LE
Posts: 21

Original Poster
Rep: Reputation: 15
I executed sshd <mypc> -vvv and I saw that it has a line "Cipher: arcfour" and "Ciphers:arcfour" ... So I can guess that the selection and application of the ciphers is made correctly! But, I keep taking unexpected results...

There is a ssh server/client with GUI in Linux ? Can you propose me one?
 
Old 11-27-2005, 10:09 PM   #6
HaPagan
LQ Newbie
 
Registered: Mar 2005
Location: Greece
Distribution: Mandriva 2005LE
Posts: 21

Original Poster
Rep: Reputation: 15
I believe that I solved my problem by using the command scp with the parameter -oCiphers=<ciphername>.Now, I get some logical results. I can assume that in small files' transfers cipher algorithms dont make difference !!

Thanks DaveG for your interest !
 
Old 11-28-2005, 12:22 AM   #7
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
You may run openssl at the terminal and type "help" and then "speed" so you can time the algorithms in your machine. OpenSSH uses OpenSSL, so speed would be easier to know.
 
Old 11-28-2005, 05:49 AM   #8
HaPagan
LQ Newbie
 
Registered: Mar 2005
Location: Greece
Distribution: Mandriva 2005LE
Posts: 21

Original Poster
Rep: Reputation: 15
Very good idea ! I didnt know that OpenSSH cooperates with OpenSSl ! I will try although I use Ethereal to capture the tranferred packets.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh-agent, ssh-add and ssh-keygen AND CVS raylpc Linux - General 2 11-19-2008 02:50 AM
ssh problem jaspreet85 Linux - Software 1 08-11-2005 02:21 AM
weak ssl ciphers in webmin hari_seldon99 Linux - Security 2 12-04-2004 06:33 AM
SSH problem pixie Linux - Security 6 03-24-2004 05:00 AM
problem with ssh ito Linux - Networking 6 08-25-2003 04:21 PM


All times are GMT -5. The time now is 07:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration