managing user accounts without NIS

Robert G. Brown rgb at phy.duke.edu
Wed May 24 07:08:55 PDT 2000 

On Tue, 23 May 2000, Neil McFadyen wrote:

(five or six levels of inclusion deleted:-)

> What about using the new Intel 100+ S NIC which uses IPSec?

Don't know.  It's new.  There's also ssl to consider and probably more
stuff in the works.

I don't think that ssh will necessarily be the one and only >>secure<<
networking approach of the future.  I just think that even if ssh had no
(or is set up to use no) security featues whatsoever I'd still prefer
ssh over rsh because of its manifold structural and environmental
advantages.  I struggled with rsh (and xrsh!) too long in the old days
-- getting it to pass any fraction of the environment and/or manage the
display and X authentication sanely is difficult and utterly
unrewarding, especially when all the work has to be done robustly and
work for users who may be unix tyros.  
 
[...and I haven't even started to
rail on about .rhosts -- the very first crack I encountered as a systems
administrator back in oh, 1986 or so, was enabled by .rhosts from our
computer science department (where an enterprising graduate student
exploited a long-gone suid root bug in emacs to obtain root and su'd to
MY very own account to come in -- much to his discomfiture as I noticed
almost immediately that I was logged in from CS when I wasn't logged in
from CS and had his hide nailed to a barn door before the day was
out:-(.]

To be fair and not rely on hearsay, I wrote a short /bin/sh script to
compare execution times for rsh vs ssh and hereby publish the results.

Without bothering to correct for loop execution times (100 passes in a
/bin/sh script) which will typically occur in such a script anyway it
takes around 11-12 seconds to execute "rsh lucifer date > /dev/null" 100
times on a switched 100BT network.  It takes roughly 28-29 seconds to do
the same thing with "ssh lucifer date > /dev/null", but the difference
is between .1 seconds and .24 seconds (or a marginal cost of roughly .14
seconds).

To test the time required to copy a file I created files 1K and 1M in
length and used rcp and scp to copy them 100x (touching them in between
to foil the caches).  Again without correcting for loop overhead, it
took 13 seconds (.13 seconds each) to rcp a 1K file, which increased to
23 seconds (.23 seconds each) for a 1M file.  It took 30 seconds (.3
seconds each) for the 1K file and 75 seconds for the 1M file with scp.
The marginal cost was thus .17 seconds for 1K and .45 seconds for 1M
(idea encryption imposing and obvious cost).  

I didn't test with -c none, but it looks pretty clear that the major
marginal cost for a secured transaction is the 0.14-0.15 additional
seconds required to authenticate the connection (which slightly more
than doubles the overall time) plus the time required to encrypt any
dataflow, which is (very) roughly .3 seconds/MB in bulk.

SO, to conclude, Don is quite right.  ssh is considerably more expensive
than rsh in that it more than doubles the cost of small transactions or
file copies.  On the other hand, dwight is also quite right in that .15
additional seconds per transaction (relative to a minimum of .1 seconds
per transaction) is negligible for most folks -- if it takes a minute
to update /etc/passwd and /etc/group on 100 node instead of 23 seconds,
(costing an additional .4 or so seconds PER HOST of the host's time) I
personally wouldn't care much, as it is coming out of 86,400 seconds/day
and is thus on the order of thousands of a percent.  Similarly, ssh used
inside PVM is likely neglibible UNLESS your pvm job is rsh'ing a LOT of
processes during a day, so that the tenths of seconds mount up.

Hopefully this will give folks the information they need to choose a
remote shell on a quantitative basis instead of on unsupported arguments
(like my own, before:-).  ssh is actually more expensive than I expected
it to be, as there is a lot of computation (and net bandwidth) in .15
seconds (some of which could be opening and parsing /etc/environment,
which I use in my LAN).  I still think that it is worth it -- I'll spend
.15 seconds/transaction and burn tens of seconds per day for the peace
of mind and other advantages provided by ssh -- but others might not
choose to.

   rgb

Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu

More information about the Beowulf mailing list