> Am 28.05.2015 um 12:55 schrieb dea <d...@corep.it>: > > >> I don't think it is wise to play with security-related software in >> the stack. If OpenBSD and Debian (or for the matter all the other >> distros) haven't applied those patches, I'm sure there is some >> reason, although maybe it being only "uncertainty". > > Yes, is true. > > But I think that from an uncrypted connection (from cluster nodes) and a maybe > insecure ssh patched connection there is a lot of difference. > > We can use a patched ssh connection on special port only to connect nodes > (live migration, etc), than use a standard Debian ssh daemon on standard port > to admin the cluster.
It is also possible to speed up transfers over ssh by selecting a cipher. Basically, you can choose to use a less secure cipher in favor of better speed. Using Debian Wheezy here (or rather Proxmox VE 3.4): Over a gigabit connection, scp gives me around 65MB/s. If I specify, for instance, the RC4 cipher like this scp -c arcfour source destination I get around 105 MB/s. Same options are possible for ssh, e.g. when using rsync et al. However, apart from this being *nice*, I really doubt any such tweaks should be made. All manner of things can change and be a real PITA. E.g. available ciphers in upstream packages can change, a new version of SSH that those patches do not work with yet, etc. In short: This is best left to upstream *unless* we are prepared to permanently support our own SSH package. Best, Martin Waschbüsch
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel