ssh动态端口转发和加密算法性能测试

ssh动态端口转发，socks5代理

# openssh可用，dropbear里面的ssh不能用。
ssh -f -N -D 0.0.0.0:1080 albert@192.168.1.1

在配置文件 ~/.ssh/config 中指定，由于安全原因，无法再用 blowfish-cbc 加密算法了，可以使用 aes128-ctr

Host *
  Ciphers aes128-ctr
  Compression yes
  CompressionLevel 6

如何知道ssh连接不同的host时，使用了哪种加密算法呢？可以用 ssh -v 查看ssh加密算法。如：

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com

修改为 aes128-ctr 后：

debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com

msys2的ssh支持的加密算法：

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc

加密算法性能测试

使用下面的shell，测试不同的加密算法：

for i in 3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com; do
#echo ===$i===
#dd if=/dev/zero bs=1000000 count=1000 2> /dev/null | ssh -c $i localhost "(time -p cat) > /dev/null" 2>&1 | grep real | awk '{print "'$i': "1000 / $2" MB/s" }'; 
#dd if=/dev/zero bs=1000000 count=1000 2> /dev/null | ssh -c $i admin@192.168.0.1 -p 8122 "(time -p cat) > /dev/null" 2>&1 | grep real | awk '{print "'$i': "1000 / $2" MB/s" }'; 
#dd if=/dev/zero bs=1000000 count=100 2> /dev/null | ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -c $i albert@192.168.0.22 "(time -p cat) > /dev/null" 2>&1 | grep real | awk '{print "'$i': "1000 / $2" MB/s" }'; 
dd if=/dev/zero bs=1000000 count=100 2> /dev/null | ssh -i /c/home/albert/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -c $i root@??? "(time -p cat) > /dev/null" 2>&1 | grep real | awk '{print "'$i': "1000 / $2" MB/s" }'; 
done

dd if=/dev/zero bs=1000000 count=1000 2> /dev/null | ssh -c aes192-ctr admin@192.168.0.1 -p 8122 "(time -p cat) > /dev/null" 2>&1 | grep real | awk '{print "'$i': "1000 / $2" MB/s" }'; 

dd if=/dev/zero bs=1000000 count=100 2> /dev/null | ssh -c aes192-ctr albert@192.168.0.22 "(time -p cat) > /dev/null" 2>&1 | grep real | awk '{print "'$i': "1000 / $2" MB/s" }'; 

[2020-11-11 Wed 16:55] msys2 -> ubuntu 20.04

aes128-ctr: 86.4304 MB/s
aes128-gcm@openssh.com: 83.2639 MB/s
aes192-ctr: 80.8407 MB/s
aes256-ctr: 84.9618 MB/s
aes256-gcm@openssh.com: 85.6898 MB/s
chacha20-poly1305@openssh.com: 86.4304 MB/s

[2020-11-11 Wed 17:03] msys2 -> centos 第一次

3des-cbc: 164.745 MB/s
aes128-cbc: 167.785 MB/s
aes128-ctr: 123.305 MB/s
aes128-gcm@openssh.com: 183.486 MB/s
aes192-cbc: 118.906 MB/s
aes192-ctr: 130.208 MB/s
aes256-cbc: 108.342 MB/s
aes256-ctr: 129.032 MB/s
aes256-gcm@openssh.com: 154.56 MB/s
chacha20-poly1305@openssh.com: 130.378 MB/s

[2020-11-11 Wed 17:04] msys -> centos 第二次

3des-cbc: 148.148 MB/s
aes128-cbc: 125.313 MB/s
aes128-ctr: 120.919 MB/s
aes128-gcm@openssh.com: 207.9 MB/s
aes192-cbc: 147.929 MB/s
aes192-ctr: 190.114 MB/s
aes256-cbc: 163.399 MB/s
aes256-ctr: 125.945 MB/s
aes256-gcm@openssh.com: 113.25 MB/s
chacha20-poly1305@openssh.com: 100.604 MB/s

本机测试，单纯测试各种加密算法的性能。

for i in 3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com; do
#echo ===$i===
dd if=/dev/zero bs=1000000 count=1000 2> /dev/null | ssh -c $i localhost "(time -p cat) > /dev/null" 2>&1 | grep real | awk '{print "'$i': "1000 / $2" MB/s" }'; 
done

aes128-ctr: 641.026 MB/s
aes128-gcm@openssh.com: 869.565 MB/s
aes192-ctr: 606.061 MB/s
aes256-ctr: 584.795 MB/s
aes256-gcm@openssh.com: 819.672 MB/s
chacha20-poly1305@openssh.com: 266.667 MB/s

网络时延高的时候，各种加密算法对速度的影响不大。打开压缩和使用连接复用的效果会更好。不过单纯从加密算法而言，aes128-gcm的性能最好。

#第一次
3des-cbc: 20.0924 MB/s
aes128-cbc: 16.5289 MB/s
aes128-ctr: 19.9283 MB/s
aes128-gcm@openssh.com: 22.9621 MB/s
aes192-cbc: 22.9832 MB/s
aes192-ctr: 23.1535 MB/s
aes256-cbc: 26.001 MB/s
aes256-ctr: 20.5381 MB/s
aes256-gcm@openssh.com: 20.0844 MB/s
chacha20-poly1305@openssh.com: 25.4388 MB/s

#第二次
3des-cbc: 21.2404 MB/s
aes128-cbc: 18.7793 MB/s
aes128-ctr: 18.5219 MB/s
aes128-gcm@openssh.com: 18.6359 MB/s
aes192-cbc: 17.8158 MB/s
aes192-ctr: 17.7904 MB/s
aes256-cbc: 22.6552 MB/s
aes256-ctr: 20.4876 MB/s
aes256-gcm@openssh.com: 22.8571 MB/s
chacha20-poly1305@openssh.com: 19.5925 MB/s

参考

• https://www.hjp.at/zettel/s/scp-performance.rxml
• OpenSSH cipher performance https://possiblelossofprecision.net/?p=2255
• https://www.systutorials.com/improving-sshscp-performance-by-choosing-ciphers/
• bbr拥塞控制 https://www.jibing57.com/2019/04/02/bbr-on-aws-ec2/