From owner-freebsd-performance@FreeBSD.ORG Thu Aug 28 23:07:48 2003 Return-Path: Delivered-To: freebsd-performance@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02A9416A4BF for ; Thu, 28 Aug 2003 23:07:48 -0700 (PDT) Received: from surfeu.fi (mailbox.surfeu.fi [213.173.154.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 376BD43FCB for ; Thu, 28 Aug 2003 23:07:46 -0700 (PDT) (envelope-from vezku@surfeu.fi) Received: from [213.173.154.9] (HELO surfeu.fi) by surfeu.fi (CommuniGate Pro SMTP 3.4.1) with SMTP id 49533377 for freebsd-performance@freebsd.org; Fri, 29 Aug 2003 09:07:44 +0300 Received: from 62.142.81.6 (SquirrelMail authenticated user vezku) by redbull.tiscali.fi with HTTP; Fri, 29 Aug 2003 09:01:37 +0300 (EEST) Message-ID: <5152.62.142.81.6.1062136897.squirrel@redbull.tiscali.fi> Date: Fri, 29 Aug 2003 09:01:37 +0300 (EEST) From: To: In-Reply-To: <20030828064524.GH385@straylight.oblivion.bg> References: <4064.62.142.81.6.1062049638.squirrel@redbull.tiscali.fi> <20030828062051.GE385@straylight.oblivion.bg> <20030828064524.GH385@straylight.oblivion.bg> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.11) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: SSH filter transer, was Re: Soft Update - directory/file listing X-BeenThere: freebsd-performance@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Performance/tuning List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 06:07:48 -0000 >A quick shot in the dark: is the file listing also slow *without* >the uid/gid resolving? Not it's not, "ls" comes promptly...and seems if you do second "ls -l" to the same directory it works normally. Also FTP seems to work normally, file listing comes instantly. Accounts (5000) are stored in local master.passwd. But SSH file transfer is painfully slow all the time. Takes like 3-4 minutes to get a file listing of 200 files. During this 3-4 minutes SSH process maxes CPU load, top output: 96558 user 109 0 9808K 2624K *Giant 0 0:16 90.32% 51.76% sshd2 I've tried all imaginable SSH configs, but no luck. Below is my current non-commercial SSH-3.2.5 (www.ssh.com) config. It only affects the file transfer, shell side is normal. Is my system too slow from encryption (SUN E250, 2x450Mhz Ultrasparc II)? This bug is very annoying, all help is appreciated. Thanks again! ## SSH CONFIGURATION FILE FORMAT VERSION 1.1 ## REGEX-SYNTAX egrep ## end of metaconfig ## (leave above lines intact!) ## sshd2_config ## SSH 3.2 Server Configuration File ## ## General # HostKeyFile hostkey # PublicHostKeyFile hostkey.pub # RandomSeedFile random_seed # BannerMessageFile /etc/ssh2/ssh_banner_message # BannerMessageFile /etc/issue.net # # VerboseMode no # QuietMode no # SyslogFacility AUTH # SyslogFacility LOCAL7 # SftpSyslogFacility LOCAL7 ## Network # Port is not commented out, as it is needed by the example startup # scripts. Well, the default won't likely change. Port 22 # ListenAddress any ResolveClientHostName no RequireReverseMapping no # MaxBroadcastsPerSecond 0 # MaxBroadcastsPerSecond 1 NoDelay yes # KeepAlive yes # MaxConnections 50 # MaxConnections 0 # 0 == number of connections not limited ## Crypto # Ciphers AnyCipher # Ciphers AnyStdCipher # Ciphers 3des # Following includes "none" 'cipher': # Ciphers AnyStd # # MACs AnyMAC # MACs AnyStdMAC # Following includes "none" 'mac': # MACs AnyStd # # RekeyIntervalSeconds 3600 ## User # PrintMotd yes # CheckMail yes # StrictModes yes # Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for # minute, 's' for seconds) # IdleTimeOut 1h # without specifier, the default number is in seconds IdleTimeOut 7200 # # UserConfigDirectory "%D/.ssh2" # UserConfigDirectory "/etc/ssh2/auth/%U" # AuthorizationFile authorization # This variable is set here, because by default it's empty, and so no # variables can be set. Because of that, we set a few common ones here. SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ ## Tunneling AllowX11Forwarding no AllowTcpForwarding no # AllowTcpForwardingForUsers sjl, cowboyneal@slashdot\.org # DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo # AllowTcpForwardingForGroups privileged_tcp_forwarders # DenyTcpForwardingForGroups coming_from_outside # # Local port forwardings to host 10.1.0.25 ports 143 and 25 are # allowed for all users in group users. # Note that forwardings using the name of this host will be allowed (if # it can be resolved from the DNS). # # ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25) # # Local port forwardings requested exactly to host proxy.company.com # port 8080 are allowed for users that have 's' as first character # and belong to the group with group id 10: # # ForwardACL allow local s.*%10 proxy\.company\.com%8080 # # Remote port forwarding is denied for all users to all hosts: # ForwardACL deny remote .* .* ## Authentication ## publickey and password allowed by default # AllowedAuthentications publickey,password # AllowedAuthentications hostbased,publickey,password # AllowedAuthentications hostbased,publickey,keyboard-interactive # RequiredAuthentications publickey,password # LoginGraceTime 600 # AuthInteractiveFailureTimeout 2 # # HostbasedAuthForceClientHostnameDNSMatch no # UserKnownHosts yes # # AuthPublicKey.MaxSize 0 # AuthPublicKey.MinSize 0 # AllowAgentForwarding yes # # AuthKbdInt.NumOptional 0 # AuthKbdInt.Optional pam,password # AuthKbdInt.Required password # AuthKbdInt.Retries 3 # # PermitEmptyPasswords no # PasswordGuesses 3 ## Host restrictions # AllowHosts localhost, foobar.com, friendly.org # ## Next one matches with, for example, taulu.foobar.com, tuoli.com, but ## not tuoli1.com. Note that you have to input string "\." when you want it ## to match only a literal dot. You also have to escape "," when you ## want to use it in the pattern, because otherwise it is considered a list ## separator. ## ## AllowHosts t..l.\..* ## ## The following matches any numerical IP-address (yes, it is cumbersome) ## ## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3} ## ## Same thing is achieved with using the special prefix "\i" in a ## pattern. This means that the pattern is only used to match ## IP-addresses. ## ## Using the above example: ## ## AllowHosts \i.* ## ## You can probably see the difference between the two. ## ## Also, you can use subnet masks, by using prefix "\m" ## ## AllowHosts \m127.0/8 ## and ## AllowHosts \m127.0.0.0/24 ## ## would match localhost ("127.0.0.1"). ## # DenyHosts evil\.org, aol\.com # AllowSHosts trusted\.host\.org # DenySHosts not\.quite\.trusted\.org # IgnoreRhosts no # IgnoreRootRHosts no # (the above, if not set, is defaulted to the value of IgnoreRHosts) ## User restrictions # AllowUsers sj.*,s[[:digit:]]*,s(jl|amza) # DenyUsers skuuppa,warezdude,31373 # DenyUsers don@untrusted\.org # AllowGroups staff,users # DenyGroups guest,anonymous # PermitRootLogin yes # PermitRootLogin nopwd ## Chrooted environment # ChRootUsers anonymous,ftp,guest # ChRootGroups sftp,guest ## SSH1 compatibility # Ssh1Compatibility no # Sshd1Path # # This is given as argument to sshd1 with "-f" if sshd2 is invoked # with "-f", otherwise the default configuration for sshd1 is used. # Sshd1ConfigFile /etc/sshd_config_alternate ## subsystem definitions # Subsystems don't have defaults, so this is needed here (uncommented). # subsystem-sftp /usr/local/bin/sftp-server2 # Also internal sftp-server subsystem can be used. subsystem-sftp internal://sftp-server ## Subconfiguration # There are no default subconfiguration files. When specified the last # obtained keyword value will prevail. Note that the host specific files # are read before the user specific files. # Following matches (from) any host # # HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example # # Following matches to subnet mask: # # HostSpecificConfig \m192.168.0.0/16 /etc/ssh2/subconfig/host_int.example # # Following matches to users from ssh.com that have two character long # username or is sjl and belong to group wheel or wheel[0-9] # # UserSpecificConfig (..|sjl)%wheel[[:digit:]]?@ssh\.com /etc/ssh2/subconfig/user.example # # Following matches to the user anonymous from any host # # UserSpecificConfig anonymous@.* /etc/ssh2/subconfig/anonymous.example