openssh as a proxy: ForceCommand limitations & speed penalty

Amr Saad as.amr.saad at gmail.com
Wed Feb 23 09:56:10 EST 2011


On Tue, Feb 22, 2011 at 3:01 PM, Damien Miller <djm at mindrot.org> wrote:

> You shouldn't have to give proxy-only accounts a shell. Additionally you can
> ForceCommand /dev/null in case they request one. Normally a proxy user
> should be using "ssh -nN" anyway.

ssh -nN is the best option, but ups the support burden if its absence
breaks users. I ended up with:
$ echo 'main() {for(;;) sleep();}'|cc -xc -static -onoshell -
to combine ForceCommand & ChrootDirectory.

>> - Comparing mini-httpd SSL/aes256 vs mini-httpd (localhost/no SSL) via
>> openssh -D/aes256 shows a c. 20% speed penalty on urandom blocks. Is
>> this expected?
>
> I haven't looked, but I wouldn't be surprised. Have you tried a faster MAC,
> such as umac-64 at openssh.com?

Will try it, but neither host was cpu-bound.


More information about the openssh-unix-dev mailing list