Support for merging LPK and hpn-ssh into mainline openssh?

Damien Miller djm at mindrot.org
Tue Feb 17 15:22:05 EST 2009 

On Tue, 17 Feb 2009, Peter Lambrechtsen wrote:

> On Tue, Feb 17, 2009 at 3:18 PM, Damien Miller <djm at mindrot.org> wrote:
> >
> > We are slowly working on SSH performance on high B*D networks, and
> > OpenSSH 5.1 should be comparable in performance to the HPN patches
> > for most users - our internal limits should fill a 100Mbps path of
> > 165ms. For reference, the circumference of the earth is 135 ms @ c.
> > We don't yet have the smarts that the HPN patch has to adjust the
> > ssh windows to follow TCP autotuning that are probably required to go
> > further/faster.
> 
> With my tests I have found ~15%+ (depending on a lot of factors like
> system load, network congestion, disk subsystem etc) on a GB LAN when
> transferring GB files.  Having no encryption for the transfer and
> using HPN patched OpenSSH 5.1 Client & Server, or WinSCP Client (which
> already includes the HPN patches) and OpenSSH 5.1+HPN server.  Would
> be nice to include, but again understand the complexity with merging
> the patch into the current mainline with the myriad of platforms that
> are supported by OpenSSH Portable.

Ok, so you are (at least in part) talking about the "none" cipher parts
of the HPN patch. We have no intention of implementing those - have a
look at the list archives to see this discussed ad nauseum.

> > I don't think there are any plans to merge the LPK patch. We really
> > don't want a dependency on LDAP libraries in sshd. Maybe if it were
> > abstracted into a helper app that sshd could consult to verify keys
> > then it would be more palatable, but even this is doubtful unless it
> > can be done in a way that avoids complexity - there is a lot that can
> > go wrong.
> 
> Yes, the OpenLDAP+OpenSSL dependencies can make it a challenge to
> compile.  However if it was not a default module, and when compiling
> OpenSSH you could add --with-ldap=/ldap/shared/libs then that would
> give end-users the option to build OpenSSH with LDAP support or not.

My concern is more with the complexity and maintenance hassle of LDAP,
not the run-time linkage.

-d

More information about the openssh-unix-dev mailing list