[pve-devel] High Performance SSH
Martin Waschbüsch
service at waschbuesch.it
Fri May 29 09:02:15 CEST 2015
> Am 28.05.2015 um 12:55 schrieb dea <dea at corep.it>:
>
>
>> I don't think it is wise to play with security-related software in
>> the stack. If OpenBSD and Debian (or for the matter all the other
>> distros) haven't applied those patches, I'm sure there is some
>> reason, although maybe it being only "uncertainty".
>
> Yes, is true.
>
> But I think that from an uncrypted connection (from cluster nodes) and a maybe
> insecure ssh patched connection there is a lot of difference.
>
> We can use a patched ssh connection on special port only to connect nodes
> (live migration, etc), than use a standard Debian ssh daemon on standard port
> to admin the cluster.
It is also possible to speed up transfers over ssh by selecting a cipher.
Basically, you can choose to use a less secure cipher in favor of better speed.
Using Debian Wheezy here (or rather Proxmox VE 3.4):
Over a gigabit connection, scp gives me around 65MB/s.
If I specify, for instance, the RC4 cipher like this
scp -c arcfour source destination
I get around 105 MB/s.
Same options are possible for ssh, e.g. when using rsync et al.
However, apart from this being *nice*, I really doubt any such tweaks should be made.
All manner of things can change and be a real PITA.
E.g. available ciphers in upstream packages can change, a new version of SSH that those patches do not work with yet, etc.
In short: This is best left to upstream *unless* we are prepared to permanently support our own SSH package.
Best,
Martin Waschbüsch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20150529/7e86bbfc/attachment.sig>
More information about the pve-devel
mailing list