[pve-devel] High Performance SSH
service at waschbuesch.it
Fri May 29 09:02:15 CEST 2015
> Am 28.05.2015 um 12:55 schrieb dea <dea at corep.it>:
>> I don't think it is wise to play with security-related software in
>> the stack. If OpenBSD and Debian (or for the matter all the other
>> distros) haven't applied those patches, I'm sure there is some
>> reason, although maybe it being only "uncertainty".
> Yes, is true.
> But I think that from an uncrypted connection (from cluster nodes) and a maybe
> insecure ssh patched connection there is a lot of difference.
> We can use a patched ssh connection on special port only to connect nodes
> (live migration, etc), than use a standard Debian ssh daemon on standard port
> to admin the cluster.
It is also possible to speed up transfers over ssh by selecting a cipher.
Basically, you can choose to use a less secure cipher in favor of better speed.
Using Debian Wheezy here (or rather Proxmox VE 3.4):
Over a gigabit connection, scp gives me around 65MB/s.
If I specify, for instance, the RC4 cipher like this
scp -c arcfour source destination
I get around 105 MB/s.
Same options are possible for ssh, e.g. when using rsync et al.
However, apart from this being *nice*, I really doubt any such tweaks should be made.
All manner of things can change and be a real PITA.
E.g. available ciphers in upstream packages can change, a new version of SSH that those patches do not work with yet, etc.
In short: This is best left to upstream *unless* we are prepared to permanently support our own SSH package.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the pve-devel