Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: ssh rekeying slow ?
Date: Wed, 25 Jun 2014 22:14:30
Message-Id: 201406252313.46606.michaelkintzios@gmail.com
In Reply to: Re: [gentoo-user] Re: ssh rekeying slow ? by "Stefan G. Weichinger"
1 On Wednesday 25 Jun 2014 22:10:42 Stefan G. Weichinger wrote:
2 > Am 25.06.2014 21:49, schrieb Alan McKinnon:
3 > > I've also noticed slowdowns recently, I think it's the new ciphers likes
4 > > ecdsa. Try this:
5 > >
6 > > Connect using ssh -vvv and examine the output to find which of the
7 > > various ciphers and algorithms are used once connection is achieved. On
8 > > the client, add those configuration options for the server to
9 > > ssh_config. You should notice a speed up on the next attempt as unused
10 > > methods will be skipped
11 > >
12 > > man 5 ssh_config
13 > >
14 > > has all the details
15 >
16 > ;-)
17 >
18 > thanks, Alan.
19 >
20 > Did you already find out what options to set?
21 >
22 > Aside from that, I wonder why we as users have to do that and why it
23 > isn't set up "as good as possible" by the coders of openssh.
24
25 Because the "as good as possible" datum is being redefined post Snowden.
26
27
28 > I will see if I can figure out what to do ...
29
30 The Better Crypto team suggest:
31
32 Ciphers chacha20-poly1305@×××××××.com,aes256-gcm@×××××××.com,aes128-
33 gcm@×××××××.com,aes256-ctr,aes128-ctr
34
35 MACs hmac-sha2-512-etm@×××××××.com,hmac-sha2-256-etm@×××××××.com,umac-128-
36 etm@×××××××.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
37
38 KexAlgorithms curve25519-sha256@××××××.org,diffie-hellman-group-exchange-
39 sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
40
41 The above may be OTT for ssh connections between machines within a trusted
42 LAN. As has already been mentioned if you choose your favourite crypto and
43 strip out all the rest, then the negotiation ought to be faster between modern
44 PCs.
45
46 --
47 Regards,
48 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature