Contributed by grey on from the taking advantage of newer features dept.
For about a month, the in-tree ssh client has supported session multiplexing, but I didn't get around to trying it until a few days ago. The result? Mind-bogglingly fast logons (since the connection is shared and already authenticated, _lots_ of things can be skipped). This makes remote CVS operations seem as fast as local ones.
Session multiplexing works a bit differently than I expected. I had expected ssh to fall back to TCP if the multiplexing socket didn't exist which it doesn't seem to do (I haven't found the way to do it yet), and this at first seemed to make it much less useful -- especially because you cannot start two clients trying to be ControlMaster (so putting `ControlMaster yes' in ~/.ssh/config doesn't work).
However, after playing around with it, I came across the idea of putting something like this in ~/.xsession:
ssh -fMN host
The `host' entry in ~/.ssh/config was expanded with `ControlPath ~/.ssh/control.host'. I had preferred to put something like `ControlPath ~/.ssh/control.%H' in the `Host *' entry but this isn't possible in the current code and it would probably be annoying without fallback to TCP anyway.
Someone might argue that starting `ssh -fMN host' from ~/.xsession is a bad idea, securitywise. However, this is just about as insecure as using ssh-agent without specifying `-c' when ssh-add'ing keys, and one can always make a `host-control' entry in ~/.ssh/config which has `ControlMaster ask' instead (this uses $SSH_ASKPASS to get permission to allow the new session) and then leave out `-M' in the background ssh session.
This is my experience and setup. Now, my questions are:
1) Are my security considerations correct? 2) Has anyone found another (better?) setup? 3) Has anyone found other uses than simply faster logons?
(Comments are closed)
By djm@ (203.217.30.81) on
I'm glad that this is getting some attention - it could use some real testing between now and the next release.
As for your questions:
1. With regards to security, the code enforces that only the user who initiated the connection or root can open a new multiplexed session over said connection. I'd recommend ControlMaster=ask for most uses though - OTOH the non-confirmed mode would be useful for things like distcc that need to open many little connections.
2. My setup has a bunch of aliases in ~/.ssh/config. E.g.
I can then initiate one connection using "ssh somehost-m" and fire off multiplexed connections using "ssh somehost-s" at will.
Perhaps we could implement fallback-to-new-connection and %h hostname expansion in ControlPath, but the priority right now ensuring that what we already have works right :)
3. Other uses: what finally got me to write this was a request from a distcc developer who wanted a way to speed up multiple short requests. Anything that has a similar usage pattern could benefit from this. 3d render farms is an example that immediately comes to mind.
Comments
By djm@ (203.217.30.81) on
This is what the example was supposed to look like (it looks like undeadly has a bug that corrupts <pre> tags on preview)
By Michael Knudsen (82.150.71.100) e@mongers.org on
The reason I'd like tcp-fallback or having ssh ignore existing ControlMaster sockets is so I don't need to worry about establishing the master session first. I'm lazy so I prefer things to work transparently. :)
I've used the current implementation for nearly a week now, and I've encountered two issues:
I hadn't thought of using it with distcc but I can imagine that one will see quite a speedup here.
One thing I think should be added is the possibility to cancel or shut down sessions from the ~C escape key menu. Something like `ssh> kill n' where n is the session number would be really nice -- especially since the escape key doesn't work in non-master sessions.
Oh, another feature request: I'd like to have `configuration forwarding' (possibly including ~/.ssh/known_hosts) so I can do stuff such as `scp host1:file host2:' without having to define host2 in host1:.ssh/config but I'm not sure how easy this would be to implement.
By Anthony (68.145.111.152) on
By cyc (62.206.217.131) on
By Michael (163.252.218.56) on
In what kind of situation would this be used? I think I'm having trouble understanding exactly what is meant by 'multiplexing sessions'.
Brief explanation, anyone?
--Michael
Comments
By Anonymous Coward (64.91.149.209) on
Comments
By Anonymous Coward (66.93.216.162) on
Comments
By Anonymous Coward (209.162.235.146) on
By Anonymous Coward (64.91.149.209) on
By Anonymous Coward (64.91.149.209) on
By Ron Chen (171.71.139.102) rchen8868@yahoo.com on