On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out as being the most CPU-intensive of the applications running, It's used 176 minutes of CPU time in the last 2 days alone.
Is there any way to lower the CPU utilization without compromising security? (I.e. without using a less processor-intensive encrypt/decrypt algorithm?)
I'm getting the CPU use figures from top, so there no fine-grained info on exactly what code is taking so much time. I'm assuming that the bulk of the time is spent in the OpenSSL libraries.
Is there some hardware add-on or processor-specific optimization that would reduce the CPU load incurred by OpenSSH?
Thanks.
On Thu, Dec 11, 2008 at 10:14 AM, Steve Snyder swsnyder@snydernet.net wrote:
On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out as being the most CPU-intensive of the applications running, It's used 176 minutes of CPU time in the last 2 days alone.
Can you tell us more about how your system is used, especially in regard to ssh? Are there many logins? Is X forwarding used?
Brett
The traffic is a combination of tunneled VNC (to Win2K), tunneled Remote Desktop (to WinXP), and interactive command line (to Linux) sessions.
For the first two types (VNC & RD), the image data is compressed before entering the encrypted tunnel. For the last traffic type there are a lot of small packets, owning to the nature of keyboard activity.
Thanks.
On Thursday 11 December 2008 11:17:13 am Brett Serkez wrote:
On Thu, Dec 11, 2008 at 10:14 AM, Steve Snyder
swsnyder@snydernet.net wrote:
On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out as being the most CPU-intensive of the applications running, It's used 176 minutes of CPU time in the last 2 days alone.
Can you tell us more about how your system is used, especially in regard to ssh? Are there many logins? Is X forwarding used?
Brett _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
on 12-11-2008 10:08 AM Steve Snyder spake the following:
The traffic is a combination of tunneled VNC (to Win2K), tunneled Remote Desktop (to WinXP), and interactive command line (to Linux) sessions.
For the first two types (VNC & RD), the image data is compressed before entering the encrypted tunnel. For the last traffic type there are a lot of small packets, owning to the nature of keyboard activity.
Thanks.
Do you have ssh also trying to compress the tunnel with the already compressed packets? That could add to the CPU time trying to compress twice.
Steve Snyder wrote:
Is there any way to lower the CPU utilization without compromising security? (I.e. without using a less processor-intensive
There is always the HPN SSH patch set...
Steve Snyder wrote:
On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out as being the most CPU-intensive of the applications running, It's used 176 minutes of CPU time in the last 2 days alone.
Do you have any rsync jobs running at night time doing backup via ssh?
Mogens
On Thursday 11 December 2008, Steve Snyder wrote:
On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out as being the most CPU-intensive of the applications running, It's used 176 minutes of CPU time in the last 2 days alone.
Putting 176 cpu-minutes in context, that's 3% of your available cpu-time. What exactly is the problem here?
/Peter
Is there any way to lower the CPU utilization without compromising security? (I.e. without using a less processor-intensive encrypt/decrypt algorithm?)
...
When the date was Thursday 11 December 2008, Steve Snyder wrote:
On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out as being the most CPU-intensive of the applications running, It's used 176 minutes of CPU time in the last 2 days alone.
Is there any way to lower the CPU utilization without compromising security? (I.e. without using a less processor-intensive encrypt/decrypt algorithm?)
I'm getting the CPU use figures from top, so there no fine-grained info on exactly what code is taking so much time. I'm assuming that the bulk of the time is spent in the OpenSSL libraries.
Is there some hardware add-on or processor-specific optimization that would reduce the CPU load incurred by OpenSSH?
You can customize you sshd_config to avoid heavy-weight ciphers. The following is a reasonable order:
aes128-ctr,aes128-cbc,blowfish-cbc,cast128-cbc, arcfour128,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
Well, actually, just stay away from 3des. Also, you should disable compression.
man 5 sshd_config
Steve Snyder wrote:
On my CentOS v5.2 server (dual Pentium4) the OpenSSH daemon stands out as being the most CPU-intensive of the
Wow, you must be sending terabytes of stuff through ssh. :-)
Assuming the request is legit:
1. Disable compression if you don't need it.
2. Try another crypto protocol. Years ago, when this problem was real :-) (sorry, no offense), I used to force blowfish instead of whatever crypto was default back then, and it produced a significant decrease of CPU usage on those Pentium II processors.
ssh -c blowfish-cbc hostname
I don't know which protocol is fastest nowadays, but I guess you can do a quick test and find out.
There might be some security implications for using a different crypto protocol, but you need to figure that out yourself.
-
Brett Serkez -
Florin Andrei -
Karanbir Singh -
Michael Iatrou -
Mogens Kjaer -
Peter Kjellstrom -
Scott Silva -
Steve Snyder