4 242
modifications
(→Host) |
(→script) |
||
(10 versions intermédiaires par le même utilisateur non affichées) | |||
Ligne 1 : | Ligne 1 : | ||
[[Category:serveur]][[Category:debian]][[Category:security]][[Category:networking]] | |||
= script = | = script = | ||
<pre> | <pre> | ||
Ligne 16 : | Ligne 17 : | ||
<pre> | <pre> | ||
ssh-keygen | ssh-keygen | ||
cat .ssh/id_rsa.pub > .ssh/authorized_keys | cat .ssh/id_rsa.pub >> .ssh/authorized_keys | ||
</pre> | |||
=Ciphers= | |||
see man sshd_config or ssh -Q cipher | |||
<pre> | |||
Supported ciphers: | |||
3des-cbc | |||
aes128-cbc | |||
aes192-cbc | |||
aes256-cbc | |||
aes128-ctr | |||
aes192-ctr | |||
aes256-ctr | |||
aes128-gcm@openssh.com | |||
aes256-gcm@openssh.com | |||
arcfour | |||
arcfour128 | |||
arcfour256 | |||
blowfish-cbc | |||
cast128-cbc | |||
chacha20-poly1305@openssh.com | |||
</pre> | |||
<pre> | |||
default ciphers for sshd: | |||
aes128-ctr,aes192-ctr,aes256-ctr, | |||
aes128-gcm@openssh.com,aes256-gcm@openssh.com, | |||
chacha20-poly1305@openssh.com | |||
</pre> | </pre> | ||
= Host = | = Host = | ||
* AES-NI | * AES-NI | ||
* proxmox VE 4.1 (debian jessie based) | |||
* OpenSSH_6.7p1 Debian-5, OpenSSL 1.0.1k 8 Jan 2015 | * OpenSSH_6.7p1 Debian-5, OpenSSL 1.0.1k 8 Jan 2015 | ||
* pve-manager/4.1-2/78c5f4a2 (running kernel: 4.2.6-1-pve) | * pve-manager/4.1-2/78c5f4a2 (running kernel: 4.2.6-1-pve) | ||
Ligne 76 : | Ligne 106 : | ||
4294967296 bytes (4.3 GB) copied, 12.8379 s, 335 MB/s | 4294967296 bytes (4.3 GB) copied, 12.8379 s, 335 MB/s | ||
</pre> | </pre> | ||
= Proxmox Qemu/KVM VM without AES-NI = | |||
* Debian Jessie 8.2 | |||
* OpenSSH_6.7p1 Debian-5, OpenSSL 1.0.1k 8 Jan 2015 | |||
* OpenSSL 1.0.1k 8 Jan 2015 | |||
<pre> | |||
Cipher: aes128-ctr (try 1) | |||
4294967296 bytes (4.3 GB) copied, 51.5934 s, 83.2 MB/s | |||
Cipher: aes128-ctr (try 2) | |||
4294967296 bytes (4.3 GB) copied, 51.5752 s, 83.3 MB/s | |||
Cipher: aes128-ctr (try 3) | |||
4294967296 bytes (4.3 GB) copied, 54.383 s, 79.0 MB/s | |||
Cipher: aes192-ctr (try 1) | |||
4294967296 bytes (4.3 GB) copied, 60.0338 s, 71.5 MB/s | |||
Cipher: aes192-ctr (try 2) | |||
4294967296 bytes (4.3 GB) copied, 59.9654 s, 71.6 MB/s | |||
Cipher: aes192-ctr (try 3) | |||
4294967296 bytes (4.3 GB) copied, 60.6374 s, 70.8 MB/s | |||
Cipher: aes256-ctr (try 1) | |||
4294967296 bytes (4.3 GB) copied, 67.8728 s, 63.3 MB/s | |||
Cipher: aes256-ctr (try 2) | |||
4294967296 bytes (4.3 GB) copied, 69.9567 s, 61.4 MB/s | |||
Cipher: aes256-ctr (try 3) | |||
4294967296 bytes (4.3 GB) copied, 68.1461 s, 63.0 MB/s | |||
Cipher: aes128-gcm@openssh.com (try 1) | |||
4294967296 bytes (4.3 GB) copied, 60.5148 s, 71.0 MB/s | |||
Cipher: aes128-gcm@openssh.com (try 2) | |||
4294967296 bytes (4.3 GB) copied, 61.3155 s, 70.0 MB/s | |||
Cipher: aes128-gcm@openssh.com (try 3) | |||
4294967296 bytes (4.3 GB) copied, 60.7298 s, 70.7 MB/s | |||
Cipher: aes256-gcm@openssh.com (try 1) | |||
4294967296 bytes (4.3 GB) copied, 79.0498 s, 54.3 MB/s | |||
Cipher: aes256-gcm@openssh.com (try 2) | |||
4294967296 bytes (4.3 GB) copied, 76.2416 s, 56.3 MB/s | |||
Cipher: aes256-gcm@openssh.com (try 3) | |||
4294967296 bytes (4.3 GB) copied, 78.5161 s, 54.7 MB/s | |||
Cipher: chacha20-poly1305@openssh.com (try 1) | |||
4294967296 bytes (4.3 GB) copied, 27.8819 s, 154 MB/s | |||
Cipher: chacha20-poly1305@openssh.com (try 2) | |||
4294967296 bytes (4.3 GB) copied, 27.4079 s, 157 MB/s | |||
Cipher: chacha20-poly1305@openssh.com (try 3) | |||
4294967296 bytes (4.3 GB) copied, 28.3614 s, 151 MB/s | |||
</pre> | |||
arcfour : | |||
<pre> | |||
4294967296 bytes (4.3 GB) copied, 17.4473 s, 246 MB/s | |||
4294967296 bytes (4.3 GB) copied, 17.6271 s, 244 MB/s | |||
4294967296 bytes (4.3 GB) copied, 18.134 s, 237 MB/s | |||
</pre> | |||
= Proxmox Qemu/KVM VM with AES-NI = | |||
* Debian Jessie 8.2 | |||
* OpenSSH_6.7p1 Debian-5, OpenSSL 1.0.1k 8 Jan 2015 | |||
* OpenSSL 1.0.1k 8 Jan 2015 | |||
<pre> | |||
Cipher: aes128-ctr (try 1) | |||
4294967296 bytes (4,3 GB) copiés, 11,1141 s, 386 MB/s | |||
Cipher: aes128-ctr (try 2) | |||
4294967296 bytes (4,3 GB) copiés, 12,5664 s, 342 MB/s | |||
Cipher: aes128-ctr (try 3) | |||
4294967296 bytes (4,3 GB) copiés, 11,555 s, 372 MB/s | |||
Cipher: aes192-ctr (try 1) | |||
4294967296 bytes (4,3 GB) copiés, 11,7967 s, 364 MB/s | |||
Cipher: aes192-ctr (try 2) | |||
4294967296 bytes (4,3 GB) copiés, 11,5128 s, 373 MB/s | |||
Cipher: aes192-ctr (try 3) | |||
4294967296 bytes (4,3 GB) copiés, 11,3557 s, 378 MB/s | |||
Cipher: aes256-ctr (try 1) | |||
4294967296 bytes (4,3 GB) copiés, 12,0175 s, 357 MB/s | |||
Cipher: aes256-ctr (try 2) | |||
4294967296 bytes (4,3 GB) copiés, 11,5709 s, 371 MB/s | |||
Cipher: aes256-ctr (try 3) | |||
4294967296 bytes (4,3 GB) copiés, 11,9262 s, 360 MB/s | |||
Cipher: aes128-gcm@openssh.com (try 1) | |||
4294967296 bytes (4,3 GB) copiés, 19,5713 s, 219 MB/s | |||
Cipher: aes128-gcm@openssh.com (try 2) | |||
4294967296 bytes (4,3 GB) copiés, 22,0312 s, 195 MB/s | |||
Cipher: aes128-gcm@openssh.com (try 3) | |||
4294967296 bytes (4,3 GB) copiés, 19,8602 s, 216 MB/s | |||
Cipher: aes256-gcm@openssh.com (try 1) | |||
4294967296 bytes (4,3 GB) copiés, 22,1064 s, 194 MB/s | |||
Cipher: aes256-gcm@openssh.com (try 2) | |||
4294967296 bytes (4,3 GB) copiés, 22,4452 s, 191 MB/s | |||
Cipher: aes256-gcm@openssh.com (try 3) | |||
4294967296 bytes (4,3 GB) copiés, 20,5823 s, 209 MB/s | |||
Cipher: chacha20-poly1305@openssh.com (try 1) | |||
4294967296 bytes (4,3 GB) copiés, 27,3964 s, 157 MB/s | |||
Cipher: chacha20-poly1305@openssh.com (try 2) | |||
4294967296 bytes (4,3 GB) copiés, 28,3317 s, 152 MB/s | |||
Cipher: chacha20-poly1305@openssh.com (try 3) | |||
4294967296 bytes (4,3 GB) copiés, 27,1668 s, 158 MB/s | |||
</pre> | |||
=Conclusion= | |||
* Les performances baremetal restent meilleurs que virtualisé (overhead kvm | |||
* En baremetal, les ciphers les plus rapides semblent être aes128-ctr aes192-ctr aes128-gcm@openssh.com | |||
* En virtualisé avec AES, les ciphers les plus rapides semblent être aes128-ctr aes192-ctr aes256-ctr. Les versions aes@openssh sont en retrait pour une raison inconnue | |||
* Aucune raison valable d'utiliser arcfour a partir du moment ou les instructions AES sont disponibles. Préférez dans tous les cas un algo AES, en évitant si possible les versions @openssh.com (du moins en virtualisation KVM) | |||
* Si vous n'avez pas les instrutions AES, arcfour reste le plus performant (246 MB/s), suivi de chacha20-poly1305@openssh.com (157 MB/s). Les performances des algo AES sont catastrophiques. Gardez à l'esprit qu'arcfour (RC4) n'est plus considéré comme un algorithme sûr en 2015. |