You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by Shawn Pearce <so...@google.com> on 2009/02/05 22:56:23 UTC
SSHD-13: Avoid SecureRandom.generateSeed on every SSH connection
I've gotten complaints from Gerrit users that the SSH port is horribly
slow. An operation that normally takes 30 seconds through OpenSSH could
take 30 minutes on Gerrit, which uses MINA SSHD for its SSH port.
More specifically, this operation is opening and closing over 120 unique SSH
connections in rapid succession. One of the large bottlenecks in SSHD was
the use of SecureRandom.generateSeed() on every request. I suspect the Sun
JRE is reading /dev/random on each call, and the kernel just doesn't have
enough entropy on hand so it blocks and waits for more.
https://issues.apache.org/jira/browse/SSHD-13 has a patch which obtains a
new seed every 100 requests, and in between uses a PRNG instead. It cuts
quite a bit off the wall-clock time.
With this patch in place, SSHD is now about 2x slower than OpenSSH. The
remaining bottleneck appears to be Sun's BigInteger.modPow() function, used
by BouncyCastle during the DH key exchange. That single method is 60% of
the running time for a setup-exec-close done over 600 times as quickly as
possible.
Re: SSHD-13: Avoid SecureRandom.generateSeed on every SSH connection
Posted by Guillaume Nodet <gn...@apache.org>.
Actually, I don't think we need more than one PRNG for the whole server.
I will add a wrapper around the random factories to use a single
instance of the PRNG instead of creating a new one each time, as it
seems quite expensive.
Wrt to performances, I guess one way to improve perfs would be to make
sure you use the fastest algorithms.
For example, try using DHG1 instead of DHG14 (it uses smaller keys,
hence faster big integers computations afaik), Blowfish seems the
fastest Cipher (not sure about the Mac).
If you configure the SSHD server to only use those algorithms, you may
be able to improve perfs.
On Thu, Feb 5, 2009 at 22:56, Shawn Pearce <so...@google.com> wrote:
> I've gotten complaints from Gerrit users that the SSH port is horribly
> slow. An operation that normally takes 30 seconds through OpenSSH could
> take 30 minutes on Gerrit, which uses MINA SSHD for its SSH port.
>
> More specifically, this operation is opening and closing over 120 unique SSH
> connections in rapid succession. One of the large bottlenecks in SSHD was
> the use of SecureRandom.generateSeed() on every request. I suspect the Sun
> JRE is reading /dev/random on each call, and the kernel just doesn't have
> enough entropy on hand so it blocks and waits for more.
>
> https://issues.apache.org/jira/browse/SSHD-13 has a patch which obtains a
> new seed every 100 requests, and in between uses a PRNG instead. It cuts
> quite a bit off the wall-clock time.
>
>
> With this patch in place, SSHD is now about 2x slower than OpenSSH. The
> remaining bottleneck appears to be Sun's BigInteger.modPow() function, used
> by BouncyCastle during the DH key exchange. That single method is 60% of
> the running time for a setup-exec-close done over 600 times as quickly as
> possible.
>
--
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
------------------------
Open Source SOA
http://fusesource.com