Re: Future of kerberised telnet, login, rsh, ftp?

[Kevin Sullivan <ksulliva@psc.edu>]

--On 07/07/05 10:19:57 -0400 Ken Hornstein wrote:
> Ah, that's one thing I remember now; it wasn't possible to turn encryption
> _off_ in ssh.  We force people to use encryption for interactive sessions,
> but don't require it for bulk data transfer.  It's easy to segment this
> out with different utilities (rcp versus rsh required writing some extra
> code, but it wasn't hard).  Encryption sucks when you're rcp'ing around
> a few terabytes (and yes, we have people that do that all of the time).

We have similar issues, which is why we support both gssapi-ssh and krcp. 
But one of our network engineers found that most of the slowness in SSH is 
due to poor buffer sizes, not encryption (unless you have a *really* slow 
machine).  See:
  <http://www.psc.edu/networking/projects/hpn-ssh/>

On that page we have one set of patches which just fixes the buffers, and 
another set which also adds the "none" cipher in a secure way (the data is 
still signed, just not encrypted).  Almost all of the speed improvements 
come from the first set of patches.  We run the first patch on our 
production supercomputers, which regularly sling around terabyte files.

The none-cipher patches will only disable encryption for data transfers, 
not interactive logins.  I'm sure that this isn't fool-proof, but it does 
help against any user who's not actively trying to circumvent this.

Kevin Sullivan
Pittsburgh Supercomputing Center

PGP signature