Last updated on Monday 28th of February 2022 08:52:48 PM

Less Secure Ciphers

 Please note that this post is relative to old deprecated software ©XSIBackup-Classic. Some facts herein contained may still be applicable to more recent versions though.

For new instalations please use new ©XSIBackup which is far more advanced than ©XSIBackup-Classic.

This is a new feature (as per the time of writing this) introduced in XSIBACKUP 11.2.3. It consists in enabling ciphers that have been deprecated in OpenSSH, like arcfour and blowfish-cbc and are not configured by default in the sshd_config (sshd server config file), but are still available in the OpenSSH binary.

Most of the SSH tunnel overhead is caused by the encryption process caused by more complicated and more secure encription algorithms. Nevertheless, we must not forget that many users and applications like ©XSIBackup use SSH as a standard for tunnelling data, independently of the required level of security, which obviously varies greatly from one case to the other.

We create tools for network admins, we therefore assume that we have competent intelligent people in front of us. Not only in terms of pricing, but also in terms of not cutting down features to prevent our "dumb users" from hurting themselves. Which seems to be a well extended paradigm out there.

You will decide whether using this ciphers or not, cause it's you who decides what's the level of security that you need to apply.

Enabling the above mentioned ciphers will allow data transfer to boost 20-40% depending on the cases. This is something to take into account, especially since you may decide your data is not worth the extra CPU cycles invested in securing tunnelled data. Please, note that although this ciphers are not officially secured any more, data is still encrypted, so you should expect some little overhead, although extremely reduced when compared to newer ciphers.

How to enable Less Secure Ciphers:

To allow this feature in your SSHD server, you have to edit the sshd_config file, which is present in different locations depending on the type of OS you use as an SSH server.
- VMWare ESXi: /etc/ssh/sshd_config
- Linux servers: /etc/ssh/sshd_config
- Windows: read your SSH server documentation.
You will see a line like this when you edit your sshd_config file:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc

The only thing you have to do to enable Less Secure Ciphers is to prepend the following (in bold) to the beggining of that list of values:

Ciphers arcfour,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc

Save your sshd_config file and test whether the deprecated ciphers can be enabled in your version of SSHD, as the latest versions will simply reject them. Take on account that OpenSSH versions present at ESXi are a bit outdated, thus you will be able to enable them in almost all ESXi systems, except ESXi 6.7.

/usr/lib/vmware/openssh/bin/sshd -t

The above will parse the sshd_config file and report any errors.

The above is the location of SSHD in an ESXi system, in case of Linux and Unix, you can easily find where it is by typing which sshd

Daniel J. García Fidalgo