Re: Configure dropbear to be fast/insecure? (need a Microblaze speed-up!)
Mike Frysinger wrote: On Fri, Nov 7, 2008 at 12:10 AM, Jamie Lokier wrote: Mike Frysinger wrote: if it's all private / development, why dont you just use telnet w/out login ? Maybe because "ssh command < file > file2" works while it doesn't work with telnet? ssh is a much more convenient and reliable interface. maybe for your needs, but this is about Steve's needs. the extended scriptability of ssh often times is irrelevant if you just want to interact with a board. telnet is a hell of a lot simpler than ssh. -mike Mike-- Thanks for the comments, you are absolutely right. But in this case, Jamie is dead-on. I've definitely used ssh alternatives in the past; if I didn't want to stick with the ssh interface, I would probably switch over to rsh.But we will likely be scripting in this environment, and will probably be using a layer over ssh to allow commands to be sent to multiple Microblaze targets (within the same private environment) in parallel. And, we also may want to use port forwarding, which ssh also handles nicely. The environment is private, as in within a single enclosure where the only access point is through another embedded processor, but it will be production (eventually!). Steve
Re: Configure dropbear to be fast/insecure? (need a Microblaze speed-up!)
On Fri, Nov 7, 2008 at 12:10 AM, Jamie Lokier wrote: > Mike Frysinger wrote: >> if it's all private / development, why dont you just use telnet w/out login ? > > Maybe because "ssh command < file > file2" works while it doesn't work > with telnet? ssh is a much more convenient and reliable interface. maybe for your needs, but this is about Steve's needs. the extended scriptability of ssh often times is irrelevant if you just want to interact with a board. telnet is a hell of a lot simpler than ssh. -mike
Re: Configure dropbear to be fast/insecure? (need a Microblaze speed-up!)
Mike Frysinger wrote: > if it's all private / development, why dont you just use telnet w/out login ? Maybe because "ssh command < file > file2" works while it doesn't work with telnet? ssh is a much more convenient and reliable interface. -- Jamie
Re: Configure dropbear to be fast/insecure? (need a Microblaze speed-up!)
if it's all private / development, why dont you just use telnet w/out login ? -mike
Re: Configure dropbear to be fast/insecure? (need a Microblaze speed-up!)
On Thursday 06 November 2008 07:44:18 Matt Johnston wrote: > I'm not sure about improving the initial connection time - > using small DSS hostkeys will probably be the best > approach, though you've probably already tried that. > There were a few internet-drafts about elliptic curve > Diffie-Hellman for SSH, though I haven't looked at those > much. Of course if security isn't any issue then perhaps a > 'none' key-exchange method could be invented too ;) Also make sure you've disabled the reverse dns lookups for the log entries; those generally add _horrible_ latency to connections, and logging the IP address is all you actually _need_. Back in 2001, on a 200 mhz pentium III, I was getting 3.2 connections/second, and around 300k/second throughput. (That wasn't with dropbear, but that was a performance ballpark for comparison.) If your microblaze really is taking 12 seconds to connect, you should profile this and see what's going on. Is the CPU really busy the whole time? Rob
Re: Configure dropbear to be fast/insecure? (need a Microblaze speed-up!)
On Thu, Nov 06, 2008 at 07:00:08AM -0600, Steve Hein wrote: > Hi All-- > I am running dropbear on a Microblaze-MMU platform > (Spartan-3A FPGA, running @ 62.5MHz). > I've optimized things as far as I know how, but making > an ssh connection to dropbear still takes about 12 seconds, > and the scp and port forwarding performance is still very > slow. >... > Since all security can be handled from > the node that is accessible to the outside.I was wondering > if it is possible to configure dropbear in an "insecure" mode, > even to the point of not using encryption? There's a (fairly untested) branch^ http://viewmtn.angrygoats.net/all/branch/changes/au.asn.ucc.matt.dropbear.insecure-nocrypto that allows using the 'none' cipher and mac algorithms. You'll have to compile a custom client/server of course, and if you want to use password auth grep for "sorry" and remove those checks :) I'm not sure about improving the initial connection time - using small DSS hostkeys will probably be the best approach, though you've probably already tried that. There were a few internet-drafts about elliptic curve Diffie-Hellman for SSH, though I haven't looked at those much. Of course if security isn't any issue then perhaps a 'none' key-exchange method could be invented too ;) Cheers, Matt ^ The web mirror hasn't updated yet to my current commit though, give it a little while for "Update nocrypto branch to current head" to appear. You can grab a tarball under "browse files", you'll have to run "autoconf; autoheader" before configure.