10. The ever-popular miscellaneous section

This section covers some miscellaneous things about Secure Shell.Click here for the contents of this section.

10.1. Should I turn encryption off, for performance reasons?

No; you should keep it turned on, for security reasons.

Today's CPUs are fast enough that performance losses (if any) only are noticable for local Ethernet speeds, or faster.

You might want to specify blowfish encryption instead of the default, IDEA for SSH1 and 3DES for SSH2, with -c blowfish, for faster operation.

Following are some measurements where the different encryption methods were applied between a P5/90 and a 486/100, both running Linux, for copying files with scp across a lightly loaded Ethernet.

The model chosen was t=a+x/b; a is the startup time in seconds, and b the sustainable transfer rate in kB/s. Also given are the 68.3% confidence intervals for the data, as determined by the Levenberg-Marquardt algorithm as implemented a pre-3.6 version of gnuplot.

Encryption      a[s]      da[s]    b[kB/s]      db[kB/s]
none            2.37       0.37     386.1         5.8
rc4             1.96       0.27     318.2         2.9
tss             2.33       0.37     298.5         3.5
des             2.07       0.19     218.8         1.0
idea            2.25       0.45     169.6         1.3
3des            1.92       0.11     118.2         0.2
Across a heavily loaded Ethernet, rc4 encryption together with compression may actually be faster than using rcp.

10.2. Known security bugs with Secure Shell

10.3 I don't like the commercial aspects of ssh.

The licensing of SSH Secure Shell has changed so that if you are using it for non-commercial use, you can use it free of charge. See the licensing agreement for more details.

The good news is the protocols ssh uses are freely available. There are no restrictions if anybody wants to write a version that is available under different conditions and is interoperable with existing Secure Shell installations.

Secure Shell 2 is also on the Internet Standards Track. This means that a second, independent implementation is required. The other current SSH2 implementations are lsh and OpenSSH. For SSH1, you have quite a few resources as well, check out section 2.

You will have to be aware of patents, like RSA and IDEA, and export control issues before writing a second implementation.

10.4 Alternatives to Secure Shell

There are several other secure connection or authentication bits of software about.  You might want to check them out as well.

| Previous Chapter |

| Table of contents of this chapter | | General table of contents | | Beginning of this section |

This SSH FAQ mirror is made available by Brian Hatch and Onsight, Inc. Contact the FAQ maintainers if you have changes or comments on this material.