[pve-devel] High Performance SSH

Martin Waschbüsch service at waschbuesch.it
Fri May 29 09:02:15 CEST 2015


> Am 28.05.2015 um 12:55 schrieb dea <dea at corep.it>:
> 
> 
>> I don't think it is wise to play with security-related software in
>> the stack. If OpenBSD and Debian (or for the matter all the other
>> distros) haven't applied those patches, I'm sure there is some
>> reason, although maybe it being only "uncertainty".
> 
> Yes, is true.
> 
> But I think that from an uncrypted connection (from cluster nodes) and a maybe
> insecure ssh patched connection there is a lot of difference.
> 
> We can use a patched ssh connection on special port only to connect nodes
> (live migration, etc), than use a standard Debian ssh daemon on standard port
> to admin the cluster.

It is also possible to speed up transfers over ssh by selecting a cipher.
Basically, you can choose to use a less secure cipher in favor of better speed.
Using Debian Wheezy here (or rather Proxmox VE 3.4):
Over a gigabit connection, scp gives me around 65MB/s.
If I specify, for instance, the RC4 cipher like this

scp -c arcfour source destination

I get around 105 MB/s.

Same options are possible for ssh, e.g. when using rsync et al.

However, apart from this being *nice*, I really doubt any such tweaks should be made.
All manner of things can change and  be a real PITA.
E.g. available ciphers in upstream packages can change, a new version of SSH that those patches do not work with yet, etc.

In short: This is best left to upstream *unless* we are prepared to permanently support our own SSH package.


Best,

Martin Waschbüsch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://pve.proxmox.com/pipermail/pve-devel/attachments/20150529/7e86bbfc/attachment.sig>


More information about the pve-devel mailing list