[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh-vs-rsh benchmark result

On Fri, Aug 30, 2002 at 09:15:42AM -0700, A.J. Rossini wrote:
> This depends on how exactly the ssh/rsh connection is being used.  If it
> is to be used as the pipeline for sending data, you are entirely
> correct.  This is not necessarily the case; PVM can be set to use its
> own communications setup, so that ssh is soley to initialize the
> remote node message passing servers.  

   Just to make clear, unencrypted/scarcely-authenticated  communication is
normal for PVM and other parallel libraries.  ssh is only a convenient
(.ssh/authorized_keys) way to start pvm.  In principle you could set up port
forwarding tunnels between all nodes on the cluster and redirect each pvmd
into each of these tunnels.  I've never seen it done, and don't take my word
for it that it's even possible, you'd probably need to set up a lot of
private addresses on each node since you can't control pvm's choice of port

from the README.Debian for pvm:
   Note that using ssh will not gain you much security as the inter-pvm
communications occur over an insecure link, and may be used to start remote
processes.  If you're not doing parallel computation on a private network
(or at least behind a firewall) you are strongly urged to set up a "virtual
private network" using IPSEC, ssh/ppp tunnels, or another similar

   Some channels to consider:

parallel daemon setup	rsh/ssh

launching jobs		inter-pvmd, in clear

bulk communications	direct, process-process sockets (or inter-pvmd)

file sharing		optional, PVM will run without a network filesystem,
			but many parallel programs built on top of PVM
			assume shared data, and it is a convenient transport
			mechanism for your binaries.  Most (like NFS) are in
			the clear and not very secure against tampering
			or unauthorized access.

   The MPIs are similar, communicating between nodes in the clear.  Job
launching is implementation specific (each mpirun), and might be done over
ssh/rsh, which would be a win due to the stronger authentication done over
an ssh channel (compared to PVM just trusting a command packet received
over the established inter-pvmd network).

   In short, you should secure your entire network layer (physally, if
performance matters), and not rely on ssh to secure your parallel
communications.  If you're using NFS, you've already decided you trust your
local network, and might as well get the full performance out of your
network without any extra authentication or encryption overhead.

Dr. Drake Diedrich, Head - IT and Communications Unit
John Curtin School of Medical Research, GPO Box 334  Canberra ACT  2601
Voice: +61(2)6125-2528   FAX: +61(2)6247-4823

Reply to: