From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-156744-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 3754E13877A
	for <garchives@archives.gentoo.org>; Wed, 25 Jun 2014 22:14:30 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5D43EE0B52;
	Wed, 25 Jun 2014 22:14:21 +0000 (UTC)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 359B8E0AFE
	for <gentoo-user@lists.gentoo.org>; Wed, 25 Jun 2014 22:14:09 +0000 (UTC)
Received: by mail-wi0-f182.google.com with SMTP id bs8so7810wib.3
        for <gentoo-user@lists.gentoo.org>; Wed, 25 Jun 2014 15:14:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:reply-to:to:subject:date:user-agent:references:in-reply-to
         :mime-version:content-type:content-transfer-encoding:message-id;
        bh=HYL1snmhZmPYSEQCYm0rCJWyZIOnGzRiqKVx0VXlGLk=;
        b=0bOJcPoHcvWLYDtQsEY/uTTkBN4PKNJYX3N47ym6IDOvQa9wTlD53dFAzPpWUFH0v9
         OqD9R/NM3/LsevDWpioEuxCutjoa7Gy/TCgd+Cu/KF0Qu4kVGTSkvvRpYcYtBGCB7dsM
         +WkNu78LHXOlI/0kPM51bPZstJBstKJP/u8BlQzZ0CID02sge8gdHiKZGZlxZenXwz3b
         VH9qQLfHad3xHVEkdTmtE08i+heWKicEqlIQqr2R/I02Is75g8s+AXN7xt0mCca2oUSr
         +sYfZtAj3HzskGKQl4FF7eE2s/9NOzHXV9oVe7v+lpSzHrsFwVEtMGlz+sCswNaKvaBQ
         nkqQ==
X-Received: by 10.180.83.200 with SMTP id s8mr13385549wiy.2.1403734448876;
        Wed, 25 Jun 2014 15:14:08 -0700 (PDT)
Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230])
        by mx.google.com with ESMTPSA id ww4sm10144052wjc.4.2014.06.25.15.14.07
        for <gentoo-user@lists.gentoo.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 25 Jun 2014 15:14:08 -0700 (PDT)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: ssh rekeying slow ?
Date: Wed, 25 Jun 2014 23:13:35 +0100
User-Agent: KMail/1.13.7 (Linux/3.12.21-gentoo-r1; KDE/4.12.5; x86_64; ; )
References: <53AAA209.1000900@xunil.at> <53AB27D1.3080401@gmail.com> <53AB3AD2.7020701@xunil.at>
In-Reply-To: <53AB3AD2.7020701@xunil.at>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart1820027.dx9RJDc9AD";
  protocol="application/pgp-signature";
  micalg=pgp-sha256
Content-Transfer-Encoding: 7bit
Message-Id: <201406252313.46606.michaelkintzios@gmail.com>
X-Archives-Salt: a47d97df-6344-47d1-ac83-5738003f65dc
X-Archives-Hash: fc992b45119efb0aca100b9a09a4f4e8

--nextPart1820027.dx9RJDc9AD
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Wednesday 25 Jun 2014 22:10:42 Stefan G. Weichinger wrote:
> Am 25.06.2014 21:49, schrieb Alan McKinnon:
> > I've also noticed slowdowns recently, I think it's the new ciphers likes
> > ecdsa. Try this:
> >=20
> > Connect using ssh -vvv and examine the output to find which of the
> > various ciphers and algorithms are used once connection is achieved. On
> > the client, add those configuration options for the server to
> > ssh_config. You should notice a speed up on the next attempt as unused
> > methods will be skipped
> >=20
> > man 5 ssh_config
> >=20
> > has all the details
>=20
> ;-)
>=20
> thanks, Alan.
>=20
> Did you already find out what options to set?
>=20
> Aside from that, I wonder why we as users have to do that and why it
> isn't set up "as good as possible" by the coders of openssh.

Because the "as good as possible" datum is being redefined post Snowden.


> I will see if I can figure out what to do ...

The Better Crypto team suggest:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-
gcm@openssh.com,aes256-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-
etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-
sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

The above may be OTT for ssh connections between machines within a trusted=
=20
LAN.  As has already been mentioned if you choose your favourite crypto and=
=20
strip out all the rest, then the negotiation ought to be faster between mod=
ern=20
PCs.

=2D-=20
Regards,
Mick

--nextPart1820027.dx9RJDc9AD
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAABCAAGBQJTq0maAAoJELAdA+zwE4Ye/1IH/1SQdZD3TVJ3dIMPJ+Og8JoI
klitl7hP4gcEPIf3jcCcEUsGbS3luTgwoQ/EcfrFNNTEv5RIIzB8kBocvGzD0OUZ
kw3tFglULTxyp/HWYfoaG3o2ouukMgIwwwpGuUVpJNzP54FLc0/qHerwMYLTZc9G
t83aDcpiclZWJz+FbOBopkCiNWLqRFf6XvnG/BpvjMlKHh7oOTLG/MiTZ3sfqwMK
idf71VZRIOtJQAP6718BK/UtPIsanuu+U3x7S+12kbk/CSDD9+V40QTr6tuI5a70
ZZlvsaLa3eZaYvv2GNUFuqPjUJ5qwR4reJJBTjO4sDzehpf/mNGx1Xxm8NXf29M=
=WHwg
-----END PGP SIGNATURE-----

--nextPart1820027.dx9RJDc9AD--