Subject: Re: Z50 and ssh
To: Mikel Waxler <waxor@waxor.com>
From: Chris Jepeway <jepeway@blasted-heath.com>
List: port-hpcmips
Date: 08/12/2002 16:08:58
> I guess I'll either have to suffer or find a box to connect through that
> has ssh1.
You can try configging so some of the lighter-weight ciphers
are preferred by your ssh client.  Too, DSS key negotiation
is slow; RSA goes much more quickly.  Here's an excerpt from
my ~/.ssh/config file:

    Ciphers		blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    HostKeyAlgorithms	ssh-rsa,ssh-dss

I don't really know about any of the ordering after 3des-cbc, I just
threw the other ciphers in for completeness.  Er...that is, I think
Blowfish is cheaper than AES and that AES is cheaper than 3DES.
But I dunno about any of the others, they are there so I could still
connect to (hypothetical) servers that insisted on one of the other
ciphers.

BTW, I don't make any claims about the security implications of
preferring one cipher over another.  I naievely figure if they're
not secure, then they wouldn't be supported.

All that said, switching to RSA key exchange with Blowfish enciphering
eliminated an appallingly long wait for an initial connection between a
133MHz Pentium and a swiftish UltraSparc that I was getting from the
default OpenSSH install of about a year back.  Might help in your situation,
too.

Of course, jiggering your client won't get you any improvement if the server
you use forces DSS or a cipher that's slow to run on your z50.

Chris <jepeway@blasted-heath.com>.