Registered users
Linkedin Twitter Facebook Google+

In order to improve user's experience and to enable some functionalities by tracking the user accross the website, this website uses its own cookies and from third parties, like Google Analytics and other similar activity tracking software. Read the Privacy Policy
33HOPS, IT Consultants
33HOPS ::: Proveedores de Soluciones Informáticas :: Madrid :+34 91 663 6085Avda. Castilla la Mancha, 95 - local posterior - 28700 S.S. de los Reyes - MADRID33HOPS, Sistemas de Informacion y Redes, S.L.Info

Less Secure Ciphers

This is a new feature (as per the time of writing this) introduced in XSIBACKUP 11.2.3. It consists in enabling ciphers that have been deprecated in OpenSSH, like arcfour and blowfish-cbc and are not configured by default in the sshd_config (sshd server config file), but are still available in the OpenSSH binary.

Most of the SSH tunnel overhead is caused by the encryption process caused by more complicated and more secure encription algorithms. Nevertheless, we must not forget that many users and applications like (c)XSIBackup use SSH as a standard for tunnelling data, independently of the required level of security, which obviously varies greatly from one case to the other.

We create tools for network admins, we therefore assume that we have competent intelligent people in from of us. Not only in terms of pricing, but also in terms of not cutting down features to prevent our "dumb users" from hurting themselves. Which seems to be a well extended paradigm out there.

You will decide whether using this ciphers or not, cause it's you who decides what's the level of security that you need to apply.

Enabling the above mentioned ciphers will allow data transfer to boost 20-40% depending on the cases. This is something to take into account, especially since you may decide your data is not worth the extra CPU cycles invested in securing tunnelled data. Please, note that although this ciphers are not officially secured any more, data is still encrypted, so you should expect some little overhead, although extremely reduced when compared to newer ciphers.

How to enable Less Secure Ciphers:

To allow this feture in your SSHD server, you have to edit the sshd_config file, which is present in different locations depending on the type of OS you use as an SSH server.
- VMWare ESXi: /etc/ssh/sshd_config
- Linux servers: /etc/ssh/sshd_config
- Windows: read your SSH server documentation.
You will see a line like this when you edit your sshd_config file:

The only thing you have to do to enable Less Secure Ciphers is to prepend the following (in bold) to the beggining of that list of values:

Ciphers arcfour,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc

Save your sshd_config file and test whether the deprecated ciphers can be enabled in your version of SSHD, as the latest versions will simply reject them. Take on account that OpenSSH versions present at ESXi are a bit outdated, thus you will be able to enable them in almost all ESXi systems, except ESXi 6.7.

The above will parse the sshd_config file and report any errors.

The above is the location of SSHD in an ESXi system, in case of Linux and Unix, you can easily find where it is by typing which sshd

Daniel J. García Fidalgo

Website Map
IT Manager
In Site
Resources & help
Index of Docs
33HOPS Forum

Fill in to download
The download link will be sent to your e-mail.

            Read our Privacy Policy