On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out as being the most CPU-intensive of the applications running, It's used 176 minutes of CPU time in the last 2 days alone. Is there any way to lower the CPU utilization without compromising security? (I.e. without using a less processor-intensive encrypt/decrypt algorithm?) I'm getting the CPU use figures from top, so there no fine-grained info on exactly what code is taking so much time. I'm assuming that the bulk of the time is spent in the OpenSSL libraries. Is there some hardware add-on or processor-specific optimization that would reduce the CPU load incurred by OpenSSH? Thanks.
On Thu, Dec 11, 2008 at 10:14 AM, Steve Snyder <swsnyder at snydernet.net> wrote:> On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out > as being the most CPU-intensive of the applications running, It's used > 176 minutes of CPU time in the last 2 days alone.Can you tell us more about how your system is used, especially in regard to ssh? Are there many logins? Is X forwarding used? Brett
Steve Snyder wrote:> Is there any way to lower the CPU utilization without compromising > security? (I.e. without using a less processor-intensiveThere is always the HPN SSH patch set... -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos at irc.freenode.net
Steve Snyder wrote:> On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out > as being the most CPU-intensive of the applications running, It's used > 176 minutes of CPU time in the last 2 days alone.Do you have any rsync jobs running at night time doing backup via ssh? Mogens -- Mogens Kjaer, Carlsberg A/S, Computer Department Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark Phone: +45 33 27 53 25, Mobile: +45 22 12 53 25 Email: mk at crc.dk Homepage: http://www.crc.dk
On Thursday 11 December 2008, Steve Snyder wrote:> On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out > as being the most CPU-intensive of the applications running, It's used > 176 minutes of CPU time in the last 2 days alone.Putting 176 cpu-minutes in context, that's 3% of your available cpu-time. What exactly is the problem here? /Peter> Is there any way to lower the CPU utilization without compromising > security? (I.e. without using a less processor-intensive > encrypt/decrypt algorithm?)... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20081212/50f38f05/attachment-0003.sig>
When the date was Thursday 11 December 2008, Steve Snyder wrote:> On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out > as being the most CPU-intensive of the applications running, It's used > 176 minutes of CPU time in the last 2 days alone. > > Is there any way to lower the CPU utilization without compromising > security? (I.e. without using a less processor-intensive > encrypt/decrypt algorithm?) > > I'm getting the CPU use figures from top, so there no fine-grained info > on exactly what code is taking so much time. I'm assuming that the > bulk of the time is spent in the OpenSSL libraries. > > Is there some hardware add-on or processor-specific optimization that > would reduce the CPU load incurred by OpenSSH?You can customize you sshd_config to avoid heavy-weight ciphers. The following is a reasonable order: aes128-ctr,aes128-cbc,blowfish-cbc,cast128-cbc, arcfour128,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc Well, actually, just stay away from 3des. Also, you should disable compression. man 5 sshd_config -- Michael Iatrou (cwfo)
Steve Snyder wrote:> On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out > as being the most CPU-intensive of theWow, you must be sending terabytes of stuff through ssh. :-) Assuming the request is legit: 1. Disable compression if you don't need it. 2. Try another crypto protocol. Years ago, when this problem was real :-) (sorry, no offense), I used to force blowfish instead of whatever crypto was default back then, and it produced a significant decrease of CPU usage on those Pentium II processors. ssh -c blowfish-cbc hostname I don't know which protocol is fastest nowadays, but I guess you can do a quick test and find out. There might be some security implications for using a different crypto protocol, but you need to figure that out yourself. -- Florin Andrei http://florin.myip.org/