[distcc] FAQ entry for distcc + ssh
Tim Small
tim at digitalbrain.com
Mon Sep 30 13:27:01 GMT 2002
Hi,
I took a look at the FAQ, and noticed this bit:
> /It would be nice to run over ssh/
>
> Yes, it would. There is some framework code in place and it will be
> supported soon.
>
> For the time being, you can use port forwarding as a stop-gap, which
> will at least keep things encrypted on the network. There are at least
> two major problems with this, though: any local user on the client can
> run arbitrary commands on the server, and you must configure TCP
> access control on the server.
>
You can get around this (definitely with ssh2, and prob with ssh1 as
well, if you fudged the command bit to a sleep, or similar), by putting
something like this in the authorized_keys file for the ssh key in question:
command="/bin/true",permitopen="127.0.0.1:4200" ssh-rsa AAAAB3Nza.....
And then running "ssh -N -L 4201:127.0.0.1:4200" on the client box. No
commands can be executed, and only the named port can be connected to...
> Rough measurements by Aaron Lehmann and Martin Pool (1
> <http://lists.samba.org/pipermail/distcc/2002q3/000230.html>, 2
> <http://lists.samba.org/pipermail/distcc/2002q3/000231.html>) seem to
> show that SSH should be feasible, although of course not as efficient
> as plain TCP.
>
Indeed, we used it for quite a while as an inhouse system. It's worth
changing the default cipher - 3des is pretty greedy on CPU cycles...
Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour
It may well also be a win to turn on compression - probably worth
experimenting with...
> The initial implementation will probably simply just run ssh for every
> connection. Opening an ssh connection is pretty expensive, so this may
> not be very practical. A better implementation would be to hoard
> connections from each client to each server. This should not be too
> hard to implement by having a long-lived client process. A small
> amount of server support will be required too.
>
This could also be achieved simply using 'fsh' (I think I may have
suggested this already - apologies if I have). From the Apt description:
Description: Fast remote command execution over rsh/ssh/lsh
The problem: logging in to a remote system with a cryptographic
solution such as lsh or ssh takes time, due to the computationally
expensive key exchanges that occur when the connection is established.
It is common to trigger a lot of remote logins while using remote CVS,
which makes it painfully slow compared to having the repository
locally.
.
The solution: reuse the secure tunnel once it has been established.
fsh is a drop-in rsh-compatible replacement for ssh that automatically
reuses ssh tunnels.
Tim.
More information about the distcc
mailing list