Mailing List Archive

[patch] Threading support in ssh-agent
Hi all!

I do not know openssh patch policy so I am just sending
the patch to the mailing list. Sorry for inconvenience.
Ssh-agent seems to be too slow if you need to access thousands of
servers. This is a simple patch to enable threading in ssh2 authentication.
Patch adds "-p numthreads" option and defaults to the number of processors.

I've tested it as I could, but unfortunately I could check it
only in Linux environment. Though it shouldn't break anything.

Bye. Alex.
Re: [patch] Threading support in ssh-agent [ In reply to ]
On 11/03/12 19:57, Alexander V Alekseev wrote:
> Hi all!
>
> I do not know openssh patch policy so I am just sending
> the patch to the mailing list. Sorry for inconvenience.
> Ssh-agent seems to be too slow if you need to access thousands of
> servers. This is a simple patch to enable threading in ssh2
> authentication.
> Patch adds "-p numthreads" option and defaults to the number of
> processors.
>
> I've tested it as I could, but unfortunately I could check it
> only in Linux environment. Though it shouldn't break anything.
>
> Bye. Alex.
You concurrently access thousands of servers? O_O What's your use case?
How does your threaded ssh-agent work with keys requiring confirmation?
Would the user be flooded with a SSH_ASKPASS instance per thread?

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [patch] Threading support in ssh-agent [ In reply to ]
On Sun, 11 Mar 2012, Ángel González wrote:

> On 11/03/12 19:57, Alexander V Alekseev wrote:
>> Hi all!
>>
>> I do not know openssh patch policy so I am just sending
>> the patch to the mailing list. Sorry for inconvenience.
>> Ssh-agent seems to be too slow if you need to access thousands of
>> servers. This is a simple patch to enable threading in ssh2
>> authentication.
>> Patch adds "-p numthreads" option and defaults to the number of
>> processors.
>>
>> I've tested it as I could, but unfortunately I could check it
>> only in Linux environment. Though it shouldn't break anything.
>>
>> Bye. Alex.
> You concurrently access thousands of servers? O_O What's your use case?
Large server farm. Todays web services usually require some ;-)

> How does your threaded ssh-agent work with keys requiring confirmation?
> Would the user be flooded with a SSH_ASKPASS instance per thread?
We do not use it.
Re: [patch] Threading support in ssh-agent [ In reply to ]
2012/3/11 Ángel González <keisial@gmail.com>

> On 11/03/12 19:57, Alexander V Alekseev wrote:
> > Hi all!
> >
> > I do not know openssh patch policy so I am just sending
> > the patch to the mailing list. Sorry for inconvenience.
> > Ssh-agent seems to be too slow if you need to access thousands of
> > servers. This is a simple patch to enable threading in ssh2
> > authentication.
> > Patch adds "-p numthreads" option and defaults to the number of
> > processors.
> >
> > I've tested it as I could, but unfortunately I could check it
> > only in Linux environment. Though it shouldn't break anything.
> >
> > Bye. Alex.
>
> You concurrently access thousands of servers? O_O What's your use case?
> How does your threaded ssh-agent work with keys requiring confirmation?
> Would the user be flooded with a SSH_ASKPASS instance per thread?
>
>
I can think of several. Scripting of network wide surveys, rsnapshot over
large environments, and Nagios over ssh plugins leap to mind.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [patch] Threading support in ssh-agent [ In reply to ]
----- Original Message -----

> From: Nico Kadel-Garcia <nkadel@gmail.com>
> To: Ángel González <keisial@gmail.com>
> Cc: Alexander V Alekseev <alex@alemate.ru>; openssh-unix-dev@mindrot.org
> Sent: Sunday, March 11, 2012 3:14 PM
> Subject: Re: [patch] Threading support in ssh-agent
>
> 2012/3/11 Ángel González <keisial@gmail.com>
>
>> On 11/03/12 19:57, Alexander V Alekseev wrote:
>> >        Hi all!
>> >
>> >    I do not know openssh patch policy so I am just sending
>> > the patch to the mailing list. Sorry for inconvenience.
>> >    Ssh-agent seems to be too slow if you need to access thousands of
>> > servers. This is a simple patch to enable threading in ssh2
>> > authentication.
>> > Patch adds "-p numthreads" option and defaults to the number
> of
>> > processors.
>> >
>> >    I've tested it as I could, but unfortunately I could check it
>> > only in Linux environment. Though it shouldn't break anything.
>> >
>> >        Bye. Alex.
>>
>> You concurrently access thousands of servers? O_O What's your use case?
>> How does your threaded ssh-agent work with keys requiring confirmation?
>> Would the user be flooded with a SSH_ASKPASS instance per thread?
>>
>>
> I can think of several. Scripting of network wide surveys, rsnapshot over
> large environments, and Nagios over  ssh plugins leap to mind.

I haven't looked over the patch, but I can confirm the real-world use-case for using ssh-agent for authentication on thousands of hosts concurrently.
I regularly ssh to several thousand hosts (several times a day on most days) for various reasons. Many uses are just to execute a single command on thousands of hosts in parallel and aggregate the output, other uses are as above. Up until now, I've just had my scripts automatically partition the work between multiple agents, usually with about 100-300 concurrent jobs per agent. Of course this means entering the password for the keys for multiple agents, which is an annoyance at after reboots.

I would wager this is a similar for others in the LSPE space.

So, while I can't speak to the patch, I can at least confirm the existance of the usecase.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [patch] Threading support in ssh-agent [ In reply to ]
Hi all,

Is there any hope for threaded ssh-agent to be included in the
main trunk?


On Sun, 11 Mar 2012, Alexander V Alekseev wrote:

> Hi all!
>
> I do not know openssh patch policy so I am just sending
> the patch to the mailing list. Sorry for inconvenience.
> Ssh-agent seems to be too slow if you need to access thousands of
> servers. This is a simple patch to enable threading in ssh2 authentication.
> Patch adds "-p numthreads" option and defaults to the number of processors.
>
> I've tested it as I could, but unfortunately I could check it
> only in Linux environment. Though it shouldn't break anything.
>
> Bye. Alex.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [patch] Threading support in ssh-agent [ In reply to ]
On Tue, 20 Mar 2012, alex@alemate.ru wrote:

> Hi all,
>
> Is there any hope for threaded ssh-agent to be included in the
> main trunk?

No, sorry - we have no desire to make any part of OpenSSH multithreaded,
especially something as sensitive as ssh-agent.

We might consider an alternate design that used fork() if it were simple
enough, but I'd encourage you to hold off as I plan on refactoring some
of the agent code in the next release.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev