openssh bugs - Dec 2024 - [Bug 3768] New: Whether to add a switch to control whether to enable the hostkeys rotation mechanism.

https://bugzilla.mindrot.org/show_bug.cgi?id=3768

            Bug ID: 3768
           Summary: Whether to add a switch to control whether to enable
                    the hostkeys rotation mechanism.
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bty at mail.ustc.edu.cn

If the public key configuration file is not specified, sshd polls all
public keys, which affects the SCP performance in scenarios where
multiple small files are transmitted. Whether to add a switch to
control whether to enable the public key rotation mechanism.

https://github.com/openssh/openssh-portable/blob/826483d51a9fee60703298bbf839d9ce37943474/sshd-session.c#L577

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3768

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This is possible on the client using UpdateHostkeys=no

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3768

--- Comment #2 from bitianyuan <bty at mail.ustc.edu.cn> ---
After observation, we find that the performance deterioration is not
caused by the public key rotation mechanism itself. Instead, the
SSH2_MSG_CHANNEL_OPEN_CONFIRMATION message is sent again after the
public key is sent. However, the client does not need to send any
message (the SSH2_MSG_CHANNEL_Open and SSH2_MSG_GLOBAL_REQUEST messages
have been sent). Therefore, after the client receives the message, the
kernel waits for 40 ms to send an ACK message. As a result, the server
kernel needs to wait until the ACK with a delay of 40 ms is received
when sending SSH2_MSG_CHANNEL_OPEN_CONFIRMATION.

In fact, the client and server set the socket status to TCP_NODELAY
after the channel is established (received). Whether the TCP_NODELAY
setting operation can be advanced until the identity authentication is
complete.

We can also add a configuration option. When users are sensitive to
performance, TCP_NODELAY is set after the TCP connection between the
server and client is established.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3768

--- Comment #3 from bitianyuan <bty at mail.ustc.edu.cn> ---
I filed a pull request on github:
https://github.com/openssh/openssh-portable/pull/551

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3768

--- Comment #4 from bitianyuan <bty at mail.ustc.edu.cn> ---
I filed a pull request on github:
https://github.com/openssh/openssh-portable/pull/551

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.