Mailing List Archive

On Thu, Feb 03, 2000 at 08:39:25PM +1100, Damien Miller wrote:

> Just a warning and a call to action:

> Theo de Raadt has convinced me to remove SOCKS support from our port
> of OpenSSH.

I strongly disagree with this position WRT SOCKS and Dante support.
There are some distinct advantages gained for keeping socks support
in the code base.

> His argument is that it can be easily and generically implemented as
> a ProxyCommand. This fits with my desire to keep our divergences from
> the OpenBSD codebase to a minimum.

Dante allows sockification of incoming connections from the SOCKS
server to the sshd. There's no easy way to accomplish this using a
ProxyCommand-like program.

> This looks like a few hours work (for someone more familiar the SOCKS
> API that I). It is basically a program which connects to a commandline
> specified host and passes data to/from the remote host to/from stdio.
> "man ssh" for the details on ProxyCommands.

This program is actually trivial to write. Take any port redirector
and hack on it. My problem is that you've changed
* one extra library call per socket action
to
* put data in pipe/socket queue
* force schedule switch to "pipe" program
* pull data across system/user barrier (pipe read)
* push data back across system/user barrier (write to socket)

Reads also add the same overhead.

Basically, you've traded one extra library call for a program that has
to sit there and jump into the kernel an extra two times per read/write.
On these modern machines, that's a trivial add, but on the older junk
I can afford (and I know others love), it adds up.

Considering that Socks and Dante both are a less than 40 lines diff
to one file, I don't think it'd be a big maintenance impact. IMHO,
keeping the library support compiled in is a LOT more elegant than
a bolt-on program.

Thanks,
David

--
David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin.
Email: drankin@bohemians.lexington.ky.us Address/Phone Number: Ask me.
"It's too bad she won't live! But then again, who does?" -- Gaff, BR

On Wed, May 10, 2000 at 09:49:56PM +0200, Markus Friedl wrote:
> On Wed, May 10, 2000 at 10:29:15PM +0300, Madsen Wikholm wrote:
> > So my problem is that the Dante support code was removed and supposed to be
> > replaced with a ProxyCommand. My question is now: "Where's the beef?".

> someone has to write a suitable dante/socks-proxy
> that can be used via ProxyCommand.

> do you want to give it a try?

M'lord, for the record, the defense wishes to renew its objections on this
issue.

(Sorry, been reading too much Rumpole of the Bailey of late.)

While I am just as much a fan of "doing things the right way", for Socks
client code, I still don't believe that this is the right way. To avoid
10-15 #defines and one extra -l statement for ld, ProxyCommand introduces an
extra process (and associated scheduling latency and swapping for low-memory
systems), and a minimum of two extra kernel boundry crossings per SSH packet
(and associated kernel I/O overhead). Yes, for "modern" high-memory
systems with cycles to spare this isn't that big of a deal, but for the
systems that are already overloaded (through age, lack of memory, or
through heavy utilization), this kind of extra overhead can be at the
very least non-trivial, and at its worst make openssh seriously impact
the system.

That said, I don't have copies of my original patches to add Dante
support to OpenSSH close at hand, but they are trivial to reimplement.
If someone should feel the urge to do so but would like to see them, I'll
try to find the last set of patches I had on the matter.

Thanks,
David

--
David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin.
Email: drankin@bohemians.lexington.ky.us Address/Phone Number: Ask me.

On Wed, 10 May 2000, David Rankin wrote:

> M'lord, for the record, the defense wishes to renew its objections
> on this issue.
>
> (Sorry, been reading too much Rumpole of the Bailey of late.)

Where's Leo McKern(sp?) when you need him :)

> That said, I don't have copies of my original patches to add
> Dante support to OpenSSH close at hand, but they are trivial to
> reimplement. If someone should feel the urge to do so but would
> like to see them, I'll try to find the last set of patches I had on
> the matter.

Can't you just run "socksify ssh" or whatever?

If someone wants to make a patch it can live in contrib/

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)

On Wed, May 10, 2000 at 09:49:56PM +0200, Markus Friedl wrote:
> On Wed, May 10, 2000 at 10:29:15PM +0300, Madsen Wikholm wrote:
> > So my problem is that the Dante support code was removed and supposed to be
> > replaced with a ProxyCommand. My question is now: "Where's the beef?".
>
> someone has to write a suitable dante/socks-proxy
> that can be used via ProxyCommand.
>
> do you want to give it a try?
>

an example for a ProxyCommand proxy:

ftp://ftp.nlc.net.au/pub/unix/tn-gw-nav/tn-gw-nav-1.4.tgz

On 10 May, Markus Friedl wrote:
> On Wed, May 10, 2000 at 10:29:15PM +0300, Madsen Wikholm wrote:
>> So my problem is that the Dante support code was removed and supposed to be
>> replaced with a ProxyCommand. My question is now: "Where's the beef?".
>
> someone has to write a suitable dante/socks-proxy
> that can be used via ProxyCommand.

I just export LDFLAGS="-ldsocks"; ./configure; make
Just by linking it to the Dante Socks libraries, socks support is in.
Is there a problem with doing it that way? Risks?

> do you want to give it a try?

--
Kind regards,
Berend

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berend De Schouwer, +27-11-712-1435, UCS