Netcat mode on OpenSSH (opens in new tab)

(blog.rootshell.be)

42 pointspWneD16y ago6 comments

6 comments

6 comments · 3 top-level

blasdel16y ago· 2 in thread

Aw man, I was hoping this would be a passthrough mode for the transport.

Sometimes I'd like to have secure authentication but otherwise have no encryption — the overhead is way too high on slower boxes when you have a good amount of bandwidth available. One classic case I'd run into is using a nice old Sparc workstation as a remote X terminal to a fast new box: if I used SSH to forward the X session its process would regularly spike the local CPU, so I would end up just using a completely insecure X server instead.

It can be too slow even on decently fast boxes when you have gigabits of bandwidth available — I'd just end up piping tar through netcat to avoid the overhead.

sketerpot16y ago

I wonder how much of this is just because you're using a slow encryption function. On my (quite fast) machine, the default 128-bit AES encryption can handle a little under 800 Mbit/s. Meanwhile, Threefish-512 can encrypt at 4 Gbit/s on the same machine, with what we lightheartedly hope is an equal or greater amount of security. And if you use CTR mode for block chaining, you can parallelize it among however many cores you have, for several times speedup -- my quad-core machine could manage 16 Gbit/s with Threefish-512 in CTR mode, which is really quite zippy.

What I'm saying is, faster transfers should be possible. And they probably already are, if you're willing to find out how to tweak the OpenSSH settings. Maybe.

fhars16y ago

You want the HPN-SSH cipher-none patch: http://www.psc.edu/networking/projects/hpn-ssh/ Although even the HPN-SSH project recommentd using MT-AES-CTR on multicore machines to get encryption and saturate a 1GBit link.

bhousel16y ago· 1 in thread

Currently, just open one term window to do the 'ssh -L', and a second window to do the 'nc'.

This enhancement just saves me the trouble of opening a term window.

andrewvc16y ago

Well, the big advantage is it doesn't listen on a port, which means if the system in question has a crazy local firewall policy, this works better. Also, on a multi-user system, this is more secure as other users cannot connect to this port.

Plus, I'd rather use one command than two, makes scripting easier.

doubleukay216y ago

A really useful thing I use with ssh and netcat is to forward SSH connections through a bastion host like this - http://backdrift.org/transparent-proxy-with-ssh

It looks like netcat can be substituted with the openssh 5.4 builtin.

j / k navigate · click thread line to collapse