Peter Lambrechtsen
2009-Feb-17 00:22 UTC
Support for merging LPK and hpn-ssh into mainline openssh?
Hello Are there plans to merge the hpn-ssh (http://www.psc.edu/networking/projects/hpn-ssh/) and the LPK (http://code.google.com/p/openssh-lpk/) into the mainline openssh. Adding lpk has been logged as a bug in bugzilla as They are two patches that I always apply as the performance boost from hpn-ssh is substantial to say the least, and centralisation of the authorized_keys into a LDAP server is a very helpful way to manage the authorized keys across a myriad of servers. Is there any chance these patches could get included into mainline openssh? Thanks Peter
Damien Miller
2009-Feb-17 02:18 UTC
Support for merging LPK and hpn-ssh into mainline openssh?
On Tue, 17 Feb 2009, Peter Lambrechtsen wrote:> Hello > > Are there plans to merge the hpn-ssh > (http://www.psc.edu/networking/projects/hpn-ssh/) and the LPK > (http://code.google.com/p/openssh-lpk/) into the mainline openssh. > > Adding lpk has been logged as a bug in bugzilla as > > They are two patches that I always apply as the performance boost from > hpn-ssh is substantial to say the least, and centralisation of the > authorized_keys into a LDAP server is a very helpful way to manage the > authorized keys across a myriad of servers. > > Is there any chance these patches could get included into mainline > openssh?We are slowly working on SSH performance on high B*D networks, and OpenSSH 5.1 should be comparable in performance to the HPN patches for most users - our internal limits should fill a 100Mbps path of 165ms. For reference, the circumference of the earth is 135 ms @ c. We don't yet have the smarts that the HPN patch has to adjust the ssh windows to follow TCP autotuning that are probably required to go further/faster. I don't think there are any plans to merge the LPK patch. We really don't want a dependency on LDAP libraries in sshd. Maybe if it were abstracted into a helper app that sshd could consult to verify keys then it would be more palatable, but even this is doubtful unless it can be done in a way that avoids complexity - there is a lot that can go wrong. -d