openssh as a proxy: ForceCommand limitations & speed penalty
Damien Miller
djm at mindrot.org
Wed Feb 23 07:01:04 EST 2011
On Sun, 20 Feb 2011, Amr Saad wrote:
> I've hit two roadblocks while using openssh -D as a general proxy:
>
> - openssh doesn't have an internal-null, so the options are to either
> give the user account a real shell and ForceCommand, or set the shell
> to something like /bin/cat and ChrootDirectory. I don't want
> proxy-only accounts to have a shell at all.
You shouldn't have to give proxy-only accounts a shell. Additionally you can
ForceCommand /dev/null in case they request one. Normally a proxy user
should be using "ssh -nN" anyway.
> - Comparing mini-httpd SSL/aes256 vs mini-httpd (localhost/no SSL) via
> openssh -D/aes256 shows a c. 20% speed penalty on urandom blocks. Is
> this expected?
I haven't looked, but I wouldn't be surprised. Have you tried a faster MAC,
such as umac-64 at openssh.com?
-d
More information about the openssh-unix-dev
mailing list