SCP With No Encryption: Why Not?
I’ve read lots of forum posts recently where someone asks how to turn encryption off for an SSH session; specifically for an SCP transfer. Every one I’ve seen has been flamed for asking this. One common response I see is:
“the encryption doesn’t take up enough of the CPU to warrant the kind of exposure on a modern CPU, you’re probably I/O limited anyway”
GARBAGE. On my Via C3 Nehmiah @ 900Mhz (it’s a 1.2Ghz chip in a 100Mhz FSB capable motherboard hence the slowed clock), my CPU taps out at 3.7MB/s on a 100Mb/s network. An it taps out on the SSH daemon, not the I/O time. Using NFS I can pull 9 to 10MB/s at CPU tap-out. Encrypting at wire speed DOES take up significant CPU time. Normal SSH terminal connections, sure, negligible. Bulk SCP connections, it’s real. Just take a look at the performance measurements taken on a Via C3 on this Linux / Via Padlock OpenSSH enabling tutorial.
Modern distributions of linux (i.e. kernel 2.6.27+ based), seem to have patched the OpenSSH (and hence the SSHD) to use the hardware encryption on the Via chip (Padlock), and I can pull 9-10MB/s at CPU tap-out on that with SCP. A P3 733Mhz also taps out at 3.5MB/s with the same Linux (Ubuntu) though, so it’s definitely the software being optimized for the Via chip.
At the end of the day though, on my local LAN (wired), I don’t really care about the encryption of the file transfer. What I care about is the ubiquity of the SSH protocol. I’m also the only one using it to access files, so I’m not using it to replace NFS, I’m just using it to access my private files (which are sometimes quite large) using the already-configured ACL (PAM). Why can’t I disable the encryption for the SSH data transfer in V2? Sigh.