Optimizing OpenSSH Performance: How to Disable Encryption in sshd_config for Proxy Tunneling Scenarios


2 views

When using OpenSSH as a SOCKS proxy (via ssh -D or Putty's dynamic port forwarding), encryption overhead can become significant for certain use cases. While encryption is essential for security, there are legitimate testing scenarios where you might want to temporarily disable it to diagnose performance issues.

Before proceeding, it's crucial to understand that disabling encryption:

  • Makes all traffic readable by anyone on the network
  • Removes authentication safeguards
  • Should only be done in isolated test environments

To disable encryption in OpenSSH, you'll need to modify these directives in /etc/ssh/sshd_config:


# Disable all encryption ciphers
Ciphers none

# Disable MAC algorithms
MACs none

# Disable key exchange algorithms
KexAlgorithms none

# Optional: Force protocol version 1 (less secure)
Protocol 1

Your Putty client must match these settings:

  1. Connection → SSH → Ciphers: Select "None"
  2. Connection → SSH → Auth → Allow agent forwarding: Off
  3. Connection → SSH → Kex: Select "None"

Instead of completely disabling encryption, consider these safer alternatives:


# Use faster, modern ciphers
Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com

# Enable compression for text-heavy traffic
Compression yes

# Adjust these TCP settings in /etc/sysctl.conf
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

After making changes, test with:


ssh -vvv -N -D 127.0.0.1:1080 user@host

Monitor performance with tools like iftop or nethogs to compare encrypted vs. unencrypted throughput.

If you encounter problems:

  • Ensure both client and server are using the same SSH protocol version
  • Check logs at /var/log/auth.log for connection errors
  • Verify no firewall is interfering with the connection

When using SSH as a SOCKS proxy (particularly with Putty as client and OpenSSH as server), many users experience unexpectedly slow performance even on fast connections. The encryption overhead can become noticeable when tunneling high-bandwidth applications like web browsing.

While SSH's encryption ensures security, it introduces computational overhead from:

  • Cipher algorithm processing (AES, ChaCha20, etc.)
  • MAC (Message Authentication Code) generation
  • Key exchange operations

To isolate whether encryption is the performance bottleneck, you can configure OpenSSH to use none cipher:

# In sshd_config
Ciphers none
MACs none
KexAlgorithms diffie-hellman-group1-sha1

Security Warning: This completely disables encryption and should only be used for temporary testing on trusted networks.

Instead of completely disabling encryption, consider these safer optimizations:

# Faster ciphers
Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com

# Compression (may help with text-heavy traffic)
Compression yes

# Keepalives to prevent timeout
ClientAliveInterval 60
TCPKeepAlive yes

On the client side, ensure Putty is configured optimally:

1. Connection → SSH → Preferred SSH protocol version: 2
2. Connection → Data → Enable compression: Yes
3. Connection → SSH → Cipher: chacha20-poly1305@openssh.com

Use these commands to measure performance impact:

# Without encryption
time curl --socks5 127.0.0.1:1080 https://example.com

# With default encryption
time curl --socks5 127.0.0.1:1080 https://example.com

If encryption overhead proves significant, consider:

  1. Upgrading to hardware with AES-NI support
  2. Using VPN instead of SSH tunneling (OpenVPN, WireGuard)
  3. Setting up a dedicated SOCKS proxy (like Dante)