<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: A question about OpenSSH_3.4p1 on Solaris 8</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>The only time that I think a person should be concerned is if you have a very constrained process table and a lot of users. It will take up extra process table entries, but that should be about it.</FONT></P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: William R. Knox</FONT>
<BR><FONT SIZE=2>To: Roger Wang</FONT>
<BR><FONT SIZE=2>Cc: openssh-unix-dev@mindrot.org</FONT>
<BR><FONT SIZE=2>Sent: 10/25/02 12:50 PM</FONT>
<BR><FONT SIZE=2>Subject: Re: A question about OpenSSH_3.4p1 on Solaris 8</FONT>
</P>
<P><FONT SIZE=2>I assume that the CPU overhead of splitting the processing into the two</FONT>
<BR><FONT SIZE=2>separate processes involves only the communication between the</FONT>
<BR><FONT SIZE=2>processes,</FONT>
<BR><FONT SIZE=2>given that the root process only handled things that have to be handled</FONT>
<BR><FONT SIZE=2>by</FONT>
<BR><FONT SIZE=2>root and the user-owned process takes care of everything else -</FONT>
<BR><FONT SIZE=2>therefore,</FONT>
<BR><FONT SIZE=2>there should be VERY little increased load as a result of privilege</FONT>
<BR><FONT SIZE=2>separation (which you can turn off as well, if you like) and only a</FONT>
<BR><FONT SIZE=2>limited additional memory use (for the additional process). Worth it for</FONT>
<BR><FONT SIZE=2>the protection, I think.</FONT>
</P>
<P> <FONT SIZE=2>Bill Knox</FONT>
<BR> <FONT SIZE=2>Senior Operating Systems Programmer/Analyst</FONT>
<BR> <FONT SIZE=2>The MITRE Corporation</FONT>
</P>
<P><FONT SIZE=2>On Fri, 25 Oct 2002, Ben Lindstrom wrote:</FONT>
</P>
<P><FONT SIZE=2>> Date: Fri, 25 Oct 2002 10:53:38 -0500 (CDT)</FONT>
<BR><FONT SIZE=2>> From: Ben Lindstrom <mouring@etoh.eviladmin.org></FONT>
<BR><FONT SIZE=2>> To: Roger Wang <xiwang17@yahoo.com></FONT>
<BR><FONT SIZE=2>> Cc: openssh-unix-dev@mindrot.org</FONT>
<BR><FONT SIZE=2>> Subject: Re: A question about OpenSSH_3.4p1 on Solaris 8</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> On Fri, 25 Oct 2002, Roger Wang wrote:</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> > Ben, thanks for the reply.</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > What made me curious is there is only one "sshd"</FONT>
<BR><FONT SIZE=2>> > daemon generated for commecial SSH - I'm testing both</FONT>
<BR><FONT SIZE=2>> > commecial SSH and openSSH.</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> The reason is the commerical version of ssh lumps all root critical</FONT>
<BR><FONT SIZE=2>and</FONT>
<BR><FONT SIZE=2>> non root critical code into one process. They step up or down the</FONT>
<BR><FONT SIZE=2>> security as they need it. In the past such designs have proven that</FONT>
<BR><FONT SIZE=2>any</FONT>
<BR><FONT SIZE=2>> slighest buffer overflow or bad coding can/will cause a comprised</FONT>
<BR><FONT SIZE=2>server.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> > Appreciate if you can give more input on this. I have</FONT>
<BR><FONT SIZE=2>> > concern about the performance impact of "sshd".</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> Never benchmarked it.. But I see one BSD server I connect to has 33</FONT>
<BR><FONT SIZE=2>people</FONT>
<BR><FONT SIZE=2>> on it and who knows what else is running on it. It seems to be doing</FONT>
<BR><FONT SIZE=2>> very well (0.33 load or less). Not dead sure what hardware, but I</FONT>
<BR><FONT SIZE=2>know it</FONT>
<BR><FONT SIZE=2>> is intel and not multiple processors.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> - Ben</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> _______________________________________________</FONT>
<BR><FONT SIZE=2>> openssh-unix-dev@mindrot.org mailing list</FONT>
<BR><FONT SIZE=2>> <A HREF="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev" TARGET="_blank">http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
<BR><FONT SIZE=2>></FONT>
</P>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>openssh-unix-dev@mindrot.org mailing list</FONT>
<BR><FONT SIZE=2><A HREF="http://www.mindrot.org/mailman/listinfo/openssh-unix-dev" TARGET="_blank">http://www.mindrot.org/mailman/listinfo/openssh-unix-dev</A></FONT>
</P>
<CODE><FONT SIZE=3><BR>
<BR>
***********************************************************************************<BR>
WARNING: All e-mail sent to and from this address will be received or<BR>
otherwise recorded by the A.G. Edwards corporate e-mail system and is<BR>
subject to archival, monitoring or review by, and/or disclosure to,<BR>
someone other than the recipient.<BR>
************************************************************************************<BR>
</FONT></CODE></BODY>
</HTML>