圖片來源:網路
大家一定覺得很奇怪,SSH的存在就是為了要有一個安全加密的通道啊,怎麼會有人想要關閉加密功能或是降低加密等級呢?怎麼會有這樣的需求呢?在解釋之前先來先舉幾個會用到SSH Tunneling 的正常案例:
- 情境二:"Port Forwarding with SSH"
所以建立SSH Tunnel的主要用意就是建立一個通道,想辦法可以由外界進入一個受限制的網路,看圖片比較有感覺。
圖片來源:網路
圖片來源:網路
由這張圖就可以看到,透過 SSH Tunnel 傳遞的資料都是有受到加密保護的,一直到離開SSH Tunneling 到達受限制的內網(相對起來也是受信任的內網)。
圖片來源:網路
這時候問題來了:
1. 如果我要連線的Device (Embedded System) cpu 不夠力怎麼辦?是否可以關掉?
2. 加密對於速度也會有影響,那要如何增加速度呢?
3. 加密到底是用麼演算法在加密呢?
所以我在網路上找到幾個答案:
1. 有加密和沒加密速度可以差到86%
RFC 4253 specifies that, during handshake, client and
server can agree not to use any bulk encryption.
In other words, the encrypted transfer speed is *** 86% SLOWER ***
than the unencrypted transfer speed.
2. 透過patch 的方式:hpn-ssh ,的確可以關掉
3. 就是降低加密等級
---------------------------------------------------------------------------
You cannot disable encryption, at least not in any standards-compatible way. You can pick weaker and/or faster ciphers if you're really worried about overhead. ARCFour and Blowfish are pretty fast. DES is slow.
For OpenSSH:
man ssh_config
man sshd_config
The following ciphers are currently defined:
3des-cbc REQUIRED three-key 3DES in CBC mode
blowfish-cbc OPTIONAL Blowfish in CBC mode
twofish256-cbc OPTIONAL Twofish in CBC mode,
with a 256-bit key
twofish-cbc OPTIONAL alias for "twofish256-cbc"
(this is being retained
for historical reasons)
twofish192-cbc OPTIONAL Twofish with a 192-bit key
twofish128-cbc OPTIONAL Twofish with a 128-bit key
aes256-cbc OPTIONAL AES in CBC mode,
with a 256-bit key
aes192-cbc OPTIONAL AES with a 192-bit key
aes128-cbc RECOMMENDED AES with a 128-bit key
serpent256-cbc OPTIONAL Serpent in CBC mode, with
a 256-bit key
serpent192-cbc OPTIONAL Serpent with a 192-bit key
serpent128-cbc OPTIONAL Serpent with a 128-bit key
arcfour OPTIONAL the ARCFOUR stream cipher
with a 128-bit key
idea-cbc OPTIONAL IDEA in CBC mode
cast128-cbc OPTIONAL CAST-128 in CBC mode
none OPTIONAL no encryption; NOT RECOMMENDED
----------------------------------------------------------------
Reference:
[1] Disable encryption ssh
沒有留言:
張貼留言