3.4p1 ssh-agent auth-retry patch available: was: Re: Updated ssh-agent authentication retry patch available

Kevin Currie kcurrie at cisco.com
Sat Aug 24 00:58:22 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Steves wrote:

| Can you provide more info about how you run these commands?  What is a
| high-water mark for simultaneous agent connections in this
| environment?  Can you profile the agent (prof/gprof)?

	To be honest we never went as far as trying to profile ssh-agent to
determine where the bottleneck was, but I can tell you that the agent chews
ALOT of cpu when it's trying to authenticate many connections (typically 80%+ CPU).

	We basically have a script called "doagent" which you point at a key,
then enter your password when prompted.  It uses perl/expect to then start
10 agents (default, # can be specified), and writes a file which contains
the listing of all the SSH_AUTH_SOCK and SSH_AGENT_PID values.  My coworker
wrote a great perl script which cycles through the variables before running
the ssh commands, thus balancing the requests across the agents.  This script
does much more than that though, as it also is able to run scripts on the remote
host without having to store them on the remote host at all if they are perl,
or if they are shell code they will be transferred and stored in a tmp dir,
run, and then deleted.  I've also written a simple shell script which you
can use in place of ssh/scp/sftp which looks at the ~/.ssh/.myagents* files,
picks a random agent out of that list, sets the 2 vars to attach to that
agent and then runs the command.  By doing things this way I can do things
like this:
foreach var ( `cat host_list`)
ssha $var "uptime"  &
end

The ssha/sftpa/scpa script is really called "nexta" and one could also
use it to run another command with modified agent variables like this:

nexta rsync -e ssh -avr host:/home/blah  /home/newblah

	I cannot release these scripts at this time, but apparently we
have the go ahead to release them publicly in the near future.  Now that
the idea is out, I expect several people will create similar scripts in
no time :-)


- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Kevin Currie          |        |          |       |
~ SysAdmin/ECS Security |      .|||.      .|||.     |	  Email:
~ Cisco Systems         | ..:|||||||:...:|||||||:.. | kcurrie(at)cisco.com
~ Austin, Texas         |---------------------------|
~~~~~~~~GPG/PGP public key: https://undertow.2y.net/kcurrie.pub~~~~~~~~~~


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9Zk2NPt/WS5aO4BwRAq43AKDh9PlP7clf906smHOByR8zhOyOJQCfQt9b
TubuSHRHDZ+XNAvfSf0f+DQ=
=gjq8
-----END PGP SIGNATURE-----




More information about the openssh-unix-dev mailing list