Sunday, March 28. 2010
Frankfurt am Main, 21.11.2006
in Photography
at
19:10
Encryption method "none" for Solaris 10 SSH
Situation: Home network, partly Ethernet, partly WLAN. The probability that someone sniffes your network traffic or does a brute-force-attack on your WPA2 encryption is rather low. Still, you may want to have your telnet and r*-Services disabled.
Imagine one or more of your computers are real legacy hardware (Pentium 3) and are running Solaris 10 x86. Using SSH out of the box is very slow for big file transfers (scp, sftp), as the payload gets encrypted with aes-128-ctr by default. Applying "-c arcfour" helps a bit, but only so much.
Using "-c none" does not work, as "none" is not configured as a valid SSH2 cipher in cipher.c:
Now, recompiling ssh from OpenSolaris Source is quite a bit of work and how would you install that on top of your Solaris 10? The same problem applies to OpenSSH, as Sun added a few features and you may want to be 100% compatible to Sun's SSH.
What do you do? Well, you patch the binaries:
Now, Solaris will happily accept "none" as a SSH2 cipher.
Imagine one or more of your computers are real legacy hardware (Pentium 3) and are running Solaris 10 x86. Using SSH out of the box is very slow for big file transfers (scp, sftp), as the payload gets encrypted with aes-128-ctr by default. Applying "-c arcfour" helps a bit, but only so much.
Using "-c none" does not work, as "none" is not configured as a valid SSH2 cipher in cipher.c:
(...)
} ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc },
{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc },
(...)
Now, recompiling ssh from OpenSolaris Source is quite a bit of work and how would you install that on top of your Solaris 10? The same problem applies to OpenSSH, as Sun added a few features and you may want to be 100% compatible to Sun's SSH.
What do you do? Well, you patch the binaries:
$ pwd
/usr/bin
$ ls -l ssh ssh.orig
-r-xr-xr-x 1 root bin 239432 Feb 17 16:50 ssh
-r-xr-xr-x 1 root bin 239432 Aug 9 2009 ssh.orig
$ cmp -lc ssh.orig ssh
231141 0 ^@ 375 ý
231142 0 ^@ 377 ÿ
231143 0 ^@ 377 ÿ
231144 0 ^@ 377 ÿ
$ cd /usr/lib/ssh
$ ls -l sshd sshd.orig
-r-xr-xr-x 1 root bin 328136 Feb 17 15:52 sshd
-r-xr-xr-x 1 root bin 328136 Aug 9 2009 sshd.orig
$ cmp -lc sshd.orig sshd
318869 0 ^@ 375 ý
318870 0 ^@ 377 ÿ
318871 0 ^@ 377 ÿ
318872 0 ^@ 377 ÿ
Now, Solaris will happily accept "none" as a SSH2 cipher.
(Page 1 of 1, totaling 2 entries)