Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Support for merging LPK and hpn-ssh into mainline openssh?

  

 
OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


plambrechtsen at gmail

Feb 16, 2009, 4:22 PM

Post #1 of 12 (2040 views)
Permalink
Support for merging LPK and hpn-ssh into mainline openssh?
Hello

Are there plans to merge the hpn-ssh
(http://www.psc.edu/networking/projects/hpn-ssh/) and the LPK
(http://code.google.com/p/openssh-lpk/) into the mainline openssh.

Adding lpk has been logged as a bug in bugzilla as

They are two patches that I always apply as the performance boost from
hpn-ssh is substantial to say the least, and centralisation of the
authorized_keys into a LDAP server is a very helpful way to manage the
authorized keys across a myriad of servers.

Is there any chance these patches could get included into mainline openssh?

Thanks

Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Feb 16, 2009, 6:18 PM

Post #2 of 12 (1956 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
On Tue, 17 Feb 2009, Peter Lambrechtsen wrote:

> Hello
>
> Are there plans to merge the hpn-ssh
> (http://www.psc.edu/networking/projects/hpn-ssh/) and the LPK
> (http://code.google.com/p/openssh-lpk/) into the mainline openssh.
>
> Adding lpk has been logged as a bug in bugzilla as
>
> They are two patches that I always apply as the performance boost from
> hpn-ssh is substantial to say the least, and centralisation of the
> authorized_keys into a LDAP server is a very helpful way to manage the
> authorized keys across a myriad of servers.
>
> Is there any chance these patches could get included into mainline
> openssh?

We are slowly working on SSH performance on high B*D networks, and
OpenSSH 5.1 should be comparable in performance to the HPN patches
for most users - our internal limits should fill a 100Mbps path of
165ms. For reference, the circumference of the earth is 135 ms @ c.
We don't yet have the smarts that the HPN patch has to adjust the
ssh windows to follow TCP autotuning that are probably required to go
further/faster.

I don't think there are any plans to merge the LPK patch. We really
don't want a dependency on LDAP libraries in sshd. Maybe if it were
abstracted into a helper app that sshd could consult to verify keys
then it would be more palatable, but even this is doubtful unless it
can be done in a way that avoids complexity - there is a lot that can
go wrong.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


plambrechtsen at gmail

Feb 16, 2009, 6:41 PM

Post #3 of 12 (1953 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
On Tue, Feb 17, 2009 at 3:18 PM, Damien Miller <djm [at] mindrot> wrote:
>
> We are slowly working on SSH performance on high B*D networks, and
> OpenSSH 5.1 should be comparable in performance to the HPN patches
> for most users - our internal limits should fill a 100Mbps path of
> 165ms. For reference, the circumference of the earth is 135 ms @ c.
> We don't yet have the smarts that the HPN patch has to adjust the
> ssh windows to follow TCP autotuning that are probably required to go
> further/faster.

With my tests I have found ~15%+ (depending on a lot of factors like
system load, network congestion, disk subsystem etc) on a GB LAN when
transferring GB files. Having no encryption for the transfer and
using HPN patched OpenSSH 5.1 Client & Server, or WinSCP Client (which
already includes the HPN patches) and OpenSSH 5.1+HPN server. Would
be nice to include, but again understand the complexity with merging
the patch into the current mainline with the myriad of platforms that
are supported by OpenSSH Portable.

> I don't think there are any plans to merge the LPK patch. We really
> don't want a dependency on LDAP libraries in sshd. Maybe if it were
> abstracted into a helper app that sshd could consult to verify keys
> then it would be more palatable, but even this is doubtful unless it
> can be done in a way that avoids complexity - there is a lot that can
> go wrong.

Yes, the OpenLDAP+OpenSSL dependencies can make it a challenge to
compile. However if it was not a default module, and when compiling
OpenSSH you could add --with-ldap=/ldap/shared/libs then that would
give end-users the option to build OpenSSH with LDAP support or not.

Thanks for the response

Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Feb 16, 2009, 8:22 PM

Post #4 of 12 (1956 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
On Tue, 17 Feb 2009, Peter Lambrechtsen wrote:

> On Tue, Feb 17, 2009 at 3:18 PM, Damien Miller <djm [at] mindrot> wrote:
> >
> > We are slowly working on SSH performance on high B*D networks, and
> > OpenSSH 5.1 should be comparable in performance to the HPN patches
> > for most users - our internal limits should fill a 100Mbps path of
> > 165ms. For reference, the circumference of the earth is 135 ms @ c.
> > We don't yet have the smarts that the HPN patch has to adjust the
> > ssh windows to follow TCP autotuning that are probably required to go
> > further/faster.
>
> With my tests I have found ~15%+ (depending on a lot of factors like
> system load, network congestion, disk subsystem etc) on a GB LAN when
> transferring GB files. Having no encryption for the transfer and
> using HPN patched OpenSSH 5.1 Client & Server, or WinSCP Client (which
> already includes the HPN patches) and OpenSSH 5.1+HPN server. Would
> be nice to include, but again understand the complexity with merging
> the patch into the current mainline with the myriad of platforms that
> are supported by OpenSSH Portable.

Ok, so you are (at least in part) talking about the "none" cipher parts
of the HPN patch. We have no intention of implementing those - have a
look at the list archives to see this discussed ad nauseum.

> > I don't think there are any plans to merge the LPK patch. We really
> > don't want a dependency on LDAP libraries in sshd. Maybe if it were
> > abstracted into a helper app that sshd could consult to verify keys
> > then it would be more palatable, but even this is doubtful unless it
> > can be done in a way that avoids complexity - there is a lot that can
> > go wrong.
>
> Yes, the OpenLDAP+OpenSSL dependencies can make it a challenge to
> compile. However if it was not a default module, and when compiling
> OpenSSH you could add --with-ldap=/ldap/shared/libs then that would
> give end-users the option to build OpenSSH with LDAP support or not.

My concern is more with the complexity and maintenance hassle of LDAP,
not the run-time linkage.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


hyc at symas

Sep 8, 2009, 1:04 PM

Post #5 of 12 (1637 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
> From: Damien Miller <djm () mindrot ! org>
> Date: 2009-02-17 4:22:05
> Message-ID: alpine.BSO.2.00.0902171519190.1946 () fuyu ! mindrot ! org

> On Tue, 17 Feb 2009, Peter Lambrechtsen wrote:
>
>> On Tue, Feb 17, 2009 at 3:18 PM, Damien Miller <djm [at] mindrot> wrote:
>> > I don't think there are any plans to merge the LPK patch. We really
>> > don't want a dependency on LDAP libraries in sshd. Maybe if it were
>> > abstracted into a helper app that sshd could consult to verify keys
>> > then it would be more palatable, but even this is doubtful unless it
>> > can be done in a way that avoids complexity - there is a lot that can
>> > go wrong.
>>
>> Yes, the OpenLDAP+OpenSSL dependencies can make it a challenge to
>> compile. However if it was not a default module, and when compiling
>> OpenSSH you could add --with-ldap=/ldap/shared/libs then that would
>> give end-users the option to build OpenSSH with LDAP support or not.
>
> My concern is more with the complexity and maintenance hassle of LDAP,
> not the run-time linkage.

Could you elaborate on this comment? Most sysadmins are looking for this
feature precisely because it *reduces* the complexity and hassle of
maintaining user login info across large networks.

Certainly the existing patch is pretty non-optimal, but the basic idea is
sound. What specific problems are you concerned about?

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Sep 9, 2009, 10:00 AM

Post #6 of 12 (1629 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
On Tue, 8 Sep 2009, Howard Chu wrote:

> > My concern is more with the complexity and maintenance hassle of LDAP,
> > not the run-time linkage.
>
> Could you elaborate on this comment? Most sysadmins are looking for this
> feature precisely because it *reduces* the complexity and hassle of
> maintaining user login info across large networks.

Complexity and maintenance hassle _for the OpenSSH developers_.

> Certainly the existing patch is pretty non-optimal, but the basic idea is
> sound.

If you want this, here is the path that I proposed to get it working:

> I don't think there are any plans to merge the LPK patch. We really
> don't want a dependency on LDAP libraries in sshd. Maybe if it were
> abstracted into a helper app that sshd could consult to verify keys
> then it would be more palatable, but even this is doubtful unless it
> can be done in a way that avoids complexity - there is a lot that can
> go wrong.

Patches welcome.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


hyc at symas

Sep 9, 2009, 11:35 AM

Post #7 of 12 (1631 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
Damien Miller wrote:
> On Tue, 8 Sep 2009, Howard Chu wrote:
>
>>> My concern is more with the complexity and maintenance hassle of LDAP,
>>> not the run-time linkage.
>>
>> Could you elaborate on this comment? Most sysadmins are looking for this
>> feature precisely because it *reduces* the complexity and hassle of
>> maintaining user login info across large networks.
>
> Complexity and maintenance hassle _for the OpenSSH developers_.
>
>> Certainly the existing patch is pretty non-optimal, but the basic idea is
>> sound.
>
> If you want this, here is the path that I proposed to get it working:
>
>> I don't think there are any plans to merge the LPK patch. We really
>> don't want a dependency on LDAP libraries in sshd. Maybe if it were
>> abstracted into a helper app that sshd could consult to verify keys
>> then it would be more palatable, but even this is doubtful unless it
>> can be done in a way that avoids complexity - there is a lot that can
>> go wrong.

Hmm. Pushing this out to a separate process requires inventing yet another IPC
protocol, and adds one more moving piece that can break. How does this
approach avoid complexity? How is it any hassle to add libldap to the link
dependencies of sshd?

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


hyc at symas

Sep 9, 2009, 11:39 AM

Post #8 of 12 (1630 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
Damien Miller wrote:
> On Tue, 8 Sep 2009, Howard Chu wrote:
>
>> > Old news, but ... http://lwn.net/Articles/298833/
>> >
>> > I first posted about this back in 2001 and it's still not resolved:
>> > http://osdir.com/ml/ietf.secsh/2001-09/msg00000.html
> So, if you were thinking about it back in 2001 then why haven't you
> implemented it yet?

The lack of response from the IETF list indicated to me that the likelihood of
getting a protocol extension accepted/adopted was near zero.

> We don't really care for wishlists, but if you come up with a concrete
> specification (in the form of a Internet-draft) or a patch to implement
> your desired behaviour the we can talk about it.

OK. That, at least, invites the possibility.

> Complaining that we
> aren't working to your program is neither effective nor respectful.

I didn't realize that I represented such a minority interest in wanting
security. Sorry for trying to impose my selfish agenda on you.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Sep 9, 2009, 11:44 AM

Post #9 of 12 (1628 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
On Wed, 9 Sep 2009, Howard Chu wrote:

> Hmm. Pushing this out to a separate process requires inventing yet
> another IPC protocol, and adds one more moving piece that can break.
> How does this approach avoid complexity?

It avoids complexity in the critical part - the sshd daemon. It is more
orthogonal too - if someone wants to store keys in xyzdb then they can
make a subprocess to do that too.

> How is it any hassle to add libldap to the link dependencies of sshd?

Because the API presented by the LDAP libraries that I have looked at is
quite ugly, because different platforms have different favourite LDAP
APIs, because we don't want to build in support for every crazy variant
schema that people will inevitably come up with.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Sep 9, 2009, 11:54 AM

Post #10 of 12 (1632 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
On Wed, 9 Sep 2009, Howard Chu wrote:

> Damien Miller wrote:
> > On Tue, 8 Sep 2009, Howard Chu wrote:
> >
> > > > Old news, but ... http://lwn.net/Articles/298833/
> > > >
> > > > I first posted about this back in 2001 and it's still not resolved:
> > > > http://osdir.com/ml/ietf.secsh/2001-09/msg00000.html
> > So, if you were thinking about it back in 2001 then why haven't you
> > implemented it yet?
>
> The lack of response from the IETF list indicated to me that the
> likelihood of getting a protocol extension accepted/adopted was near
> zero.

Yeah, it sucks to have to actually do the work in making a wishlist
item into a proposal that people can evaluate.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


hyc at symas

Sep 9, 2009, 12:17 PM

Post #11 of 12 (1628 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
Damien Miller wrote:
> On Wed, 9 Sep 2009, Howard Chu wrote:
>
>> Damien Miller wrote:
>>> On Tue, 8 Sep 2009, Howard Chu wrote:
>>>
>>>>> Old news, but ... http://lwn.net/Articles/298833/
>>>>>
>>>>> I first posted about this back in 2001 and it's still not resolved:
>>>>> http://osdir.com/ml/ietf.secsh/2001-09/msg00000.html
>>> So, if you were thinking about it back in 2001 then why haven't you
>>> implemented it yet?

>> The lack of response from the IETF list indicated to me that the
>> likelihood of getting a protocol extension accepted/adopted was near
>> zero.

> Yeah, it sucks to have to actually do the work in making a wishlist
> item into a proposal that people can evaluate.

Given the existence of this feature in telnet, with its complete behavior
already spelled out in RFCs http://www.ietf.org/rfc/rfc1184.txt the only thing
left is to map the command sequences into the ssh protocol, which can be
accomplished pretty mechanically. Actual implementations in the telnet context
have been available to evaluate for 2 decades. If you go back through the
comp.sources.unix archives from 1989 or so you'll also find the patches I
wrote to implement a local command history buffer (ala Gnu readline, but
obviously different since that didn't exist yet) for the telnet client.

If you need to evaluate how well the feature can work, and how much work it is
to implement it, then you already have all the information you need.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Sep 9, 2009, 12:57 PM

Post #12 of 12 (1627 views)
Permalink
Re: Support for merging LPK and hpn-ssh into mainline openssh? [In reply to]
On Wed, 9 Sep 2009, Howard Chu wrote:

> Given the existence of this feature in telnet, with its complete behavior
> already spelled out in RFCs http://www.ietf.org/rfc/rfc1184.txt the only thing
> left is to map the command sequences into the ssh protocol, which can be
> accomplished pretty mechanically. Actual implementations in the telnet context
> have been available to evaluate for 2 decades. If you go back through the
> comp.sources.unix archives from 1989 or so you'll also find the patches I
> wrote to implement a local command history buffer (ala Gnu readline, but
> obviously different since that didn't exist yet) for the telnet client.

It sounds like you are uniquely familiar with what needs to be done, so
you should get on it right away.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.