Re: Load estimation - SSH on HP-UX

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 07/11/05

  • Next message: Ray Greene: "Re: Password Guessing" 
    Date: 11 Jul 2005 07:12:08 GMT

    On 2005-07-07, Vadim Barshtak <vadim@xpert.com> wrote:
    > We are looking for a high-performance SSH solution for HP-UX platform.
    > The idea is to protect an existing application, so the server should
    > perform port forwarding only.
    >
    > A couple of requirements:
    > 1) Should run on HP-UX B.11.11 U 9000/800
    > 2) Hardware configuration - 1 HP server with 8CPUs 16GB RAM
    > 3) We need to support up to 1000 concurrent connections (open tunnels).
    > 4) The upper limit expected connection growth - 50 / minute (let's say,
    > 1 new connection per second).
    >
    > OK, now the questions:
    > 1) Do you think it is applicable? Can such hardware handle such
    > CPU-intensive requirements?

    Probably yes, it depends on how you intend it to work. The answers
    depend on whether or not you intend to:

    A) Run one SSH session per forwarded connection.

    B) One a single SSH session with a large number of forwarded connections.

    The remainder of this post is specific to OpenSSH and may or may not apply
    to other software.

    Either way, allowing only port-forwarding is simple: set the account's
    shell to be, eg /bin/true and add it to /etc/shells, then use the ssh -N
    option (or its equivalent) on the client. The clients will be able to
    authenticate and forward ports, but not run anything (other than "true"
    :-) on the server.

    For A), the limiting factor is likely to be memory consumed by the sshd
    processes (there will be two sshd's per connection if privsep is enabled,
    one per connection otherwise) and the speed at which connections (SSH
    handshake) can be performed.

    With my old C-class (236MHz) as a server, I can establish a single SSHv2
    connection in about 0.8 sec and could probably reduce that by 20-30%
    with a bit of tuning, so 1 per second is probably within easy reach of
    your hardware. The sshd processes have a resident size of around 600KB
    each (as shown by "top").

    For B), the limiting factors are probably going to be:
     B1) There's a sanity-check limit of the number of port forwards of 100
         per direction. (look in ssh.h for SSH_MAX_FORWARDS_PER_DIRECTION,
         you can bump this at compile time).
     B2) Per-process descriptor limits (probably just need to bump "nofiles"
         with ulimit).

    It is very unlikely that symmetric encryption speed is going to be a
    limiting factor. The aforementioned C-class can do 128-bit AES at
    8 MBytes/sec and arcfour at 27 MBytes/sec. (That's raw speed from
    "openssl speed", throughput in ssh will be lower, but I can still push
    4 MByte/s onto /dev/null on my C-class over the wire with 128-bit AES.)

    > 2) If so, will it work with OpenSSH or a commercial solution will be
    > required (maybe Tectia - please recommend)?

    I'm biased so I won't make a recommendation.

    > 3) In case of OpenSSH:
    > a. Do you recommend compiling for 64 bit, or just use 32bit?

    32bit, possibly tuning the compiler options on OpenSSL, zlib and OpenSSH
    to suit your system. I would also make sure you have a good entropy
    source (a real /dev/random device if you can get one, otherwise prngd).

    > b. Is sshd optimized to run on several CPUs?

    In the case of A) above, yes. There will be multiple sshd's and they
    may be scheduled to run on as many CPUs as your system has. In the case
    of B), no, there will be only a single process and no threads (but it's
    not likely to matter, see above).

    > c. Is there any way to tune number of processes / threads etc, in
    > order to optimize the performance?

    For threads/processes, no, not really. For other things there's some
    hints here: http://www.openssh.com/faq.html#3.3
    There may be other tuning things that can be done to suit your
    environment. 

    -- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
  • Next message: Ray Greene: "Re: Password Guessing"

    Relevant Pages

    • Re: OpenSSH 3.4p1 port forwarding problem
      ... > I am attempting to setup port forwarding of port 1680 over the SSH ... The connection has been closed." ... > debug: Entering interactive session. ...
      (comp.unix.sco.misc)
    • Re: Openssh Port Forwarding Confusion
      ... >Now for my Port forwarding question. ... So far what I have extracted about ssh port ... You connect to a port on the SSH client. ...
      (comp.security.ssh)
    • UPDATE: Re: Question regarding SSH via Lantronix SCS100
      ... to do SSH and to authenticate the SSH connection with a local ... unexpectedly closed connection'. ... CONSOLE or AUX port on the router, or does it matter, and what ...
      (comp.dcom.sys.cisco)
    • Re: SSH options re: NAT
      ... No, SSH is two-fold, a call to it on the client side results in a call ... port, meaning that any connections that come into that port are answered ... programming practice for daemons) Once the connection is established, ... don't want to execute a command on the remote side and you use -N. ...
      (comp.security.ssh)
    • port forwarding source address
      ... The SSH encrypted connection itself can be bound to a specific IP address ... Port forwarding can bind to a specific address on the listening host, ...
      (comp.security.ssh)