Amr Saad
2011-Feb-20 18:22 UTC
openssh as a proxy: ForceCommand limitations & speed penalty
I've hit two roadblocks while using openssh -D as a general proxy: - openssh doesn't have an internal-null, so the options are to either give the user account a real shell and ForceCommand, or set the shell to something like /bin/cat and ChrootDirectory. I don't want proxy-only accounts to have a shell at all. - Comparing mini-httpd SSL/aes256 vs mini-httpd (localhost/no SSL) via openssh -D/aes256 shows a c. 20% speed penalty on urandom blocks. Is this expected?
Damien Miller
2011-Feb-22 20:01 UTC
openssh as a proxy: ForceCommand limitations & speed penalty
On Sun, 20 Feb 2011, Amr Saad wrote:> I've hit two roadblocks while using openssh -D as a general proxy: > > - openssh doesn't have an internal-null, so the options are to either > give the user account a real shell and ForceCommand, or set the shell > to something like /bin/cat and ChrootDirectory. I don't want > proxy-only accounts to have a shell at all.You shouldn't have to give proxy-only accounts a shell. Additionally you can ForceCommand /dev/null in case they request one. Normally a proxy user should be using "ssh -nN" anyway.> - Comparing mini-httpd SSL/aes256 vs mini-httpd (localhost/no SSL) via > openssh -D/aes256 shows a c. 20% speed penalty on urandom blocks. Is > this expected?I haven't looked, but I wouldn't be surprised. Have you tried a faster MAC, such as umac-64 at openssh.com? -d
Apparently Analagous Threads
- ForceCommand internal-sftp causes sftp logging to fail (openssh-5.0p1)
- [Bug 1527] New: ForceCommand internal-sftp needs a way to enable logging
- restrict file transfer in rsync, scp, sftp?
- setting umask for internal-sftp users
- internal-sftp only without ssh and scp hanging