[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal: remove krb5-appl (rlogin, rsh, telnet, ftp with krb5 support)

On Mon, Jan 27, 2014 at 1:05 AM, Philipp Kern <pkern@debian.org> wrote:
> On 2014-01-25 20:23, Joshuah Hurst wrote:
>> One major advantage over ssh is that krb5-rsh has much lower latency
>> and overhead (in terms of used cpu time) when executing a plain
>> /bin/true on a remote host, doing that in a loop over 1000 logins can
>> take hours with ssh but takes minutes with krb-rsh. ssh is a *major*
>> pain in the arse if you have a distributed cluster which depends on
>> rsh/ssh - with ssh the cpu time overhead is so great that it often
>> doesn't even make sense to call the remote host to offload a job.
>> krb-rsh is much more lightweight, e.g. consumes much less cpu time.
> Given that it is mostly about the handshake, could you try if the
> ControlMaster feature helps here? At least locally for a user and a given
> target host (your /bin/true loop example) it should help. For different
> users or target hosts you will of course still pay the penalty once for
> each.

The problem is the general synchronous design of ssh. You can't fix it
without redesigning the protocol itself.

Hint: Before further claiming the obsolesce of krb-rsh/rlogin vs ssh
please try ssh on an ARM box (e.g gumstix) vs krb-rsh. ssh takes
almost 2.6 seconds to complete (even with tuning and using arcfour),
krb-rsh executes the same in less than 0.07 seconds.

If courses there is another issue: What still left as "use case" of
Kerberos5 if krb-rsh and krb-rlogin are no longer available? Typical
university setup is krb-NFSv3/krb-NFSv4 plus krb-rlogin internally and
ssh only for external access. What do you wish to sell them as
krb-rsh/rlogin replacement? ssh? Seriously?


Reply to: