Where I work (a LARGE networking company that makes all kinds of networking hardware) a co-worker and I created multiple parallel SSH tools which enable you to run hundreds to thousands of concurrent outgoing sessions, depending on hardware. We have not yet had the cycles to look into open sourcing it, but hope to.
I can share the basics of it here though, which should enable somebody else to easily build their own. On a day to day basis we needed to be able to run commands on 10,000+ Solaris and Linux boxes, and wanted to use SSH key authentication, but not keys with a null passphrase (as if the private key was stolen, major security implications present themselves:-) ) . The only way to do this (other than having some type of expect type program typing in the passphrase for you) is to use the ssh-agent. The problem with the ssh-agent is that is simply does not have the ability to authenticate more than say 20+ ssh sessions as once (depending on machine load, etc). What happens when too many ssh sessions attempt to authenticate against the ssh-agent is that you get many authentication failures due to timeouts. There are some hacks you can do to the ssh source code that will increase the number of times ssh will attempt to contact the agent, as well as the delay between attempts. We've done these hacks, but they still were nowhere near enough.
The solution instead is to use MULTIPLE ssh-agents, and load balance between them. We wrote a tool that will prompt for our key passphrase and then load say 100 ssh-agents with that key loaded. When it starts the agents it records the variables SSH_AUTH_SOCK and SSH_AGENT_PID for each agent in a single file. We then have shell scripts wrapped around ssh commands that just randomly pick an agent to connect to, effectively load balancing. We run this whole thing on an OpenMosix cluster, which allows the ssh-agents and ssh processes to migrate across the machines once they start to use too much CPU time on their current node. We've found that Linux boxes seem to be much faster for SSH operations than Solaris (sparc) boxes, BTW. We have also written a parallel ssh tool that works similarly to others discussed here (and others NOT discussed here, like Ed Hill's clsh which in a previous life I used extensively), except our tool has a couple of other major features which (IMHO) are required in an enterprise environment. The biggest thing that we've found is that when working on boxes in the far reaches of the world, we cannot assume that any common group of NFS mounts will exist, or work properly when we need them to. If you cannot be sure what remote mounts are available, how can you run scripts on the remote box? This prompted us to make our program have the ability to both run perl code directly fed to it, as well as (basically) remotely deliver scripts for running and delete them afterwards. So if we've written an administrative script called foo.sh, our tool will basically pipe the script across a SSH session to the remote end and run it, usually never having to touch the remote disk at all. This is VERY useful because when talking about 10k+ boxes, many of which are desktops, you can never be sure which partitions will be full.
Using our parallel ssh tool, along with the ssh-agent load balancing and a 3 node OpenMosix cluster we've been able to run 1000 outgoing ssh sessions without issues. This means if you want to change root passwords on 10k boxes it only takes slightly longer than changing passwords on 10 boxes. A real time saver, to say the least:-)
Comments anyone?
BTW, is anybody using any hacks of OpenSSH to work similarly to sudo for giving out root access?
As for the CPU? The last time we had an application where the bottleneck was a sun CPU was well.. right now, actually - try anything with encryption and tell me a quad box with the fastest hyper-threading XEON's are slower than any quad-processor Sun. And at a quarter the price...see it ALL the time. With chip simulation software. When you have simulations that can run for DAYS before finding a bug, fixing the bug, and restarting the simulation, CPU speed REALLY matters...of course, sometimes these simulations require a 64 bit address space..
Yes, this was VERY annoying, and I ended up pulling out the damn "firewall" my kids school was using and replacing it with something a little more ssh friendly. I couldn't find anything about this problem anywhere except on some (non-linksys) mailing lists either.
What are you talking about? This makes a remote filesystem appear local, and all local commands work accordingly (i.e. edit a file, play an mp3, etc). With sftp you'd have to sftp a file down to do an operation on it, and then sftp it back up again afterwards, etc/
I've used lufs with the sshfs and it works great, I've even done compiles on a remote filesystem this way-- you simply cannot do that using just sftp/scp.
Speaking of altq-- I'm having issues where if I set port 22 traffic to go into a SSH queue, interactive ssh traffic is fine, but scp's and rsync over ssh hangs after a few K of trafic. Anybody seen this before?
I too use Vonage, and have been a little to lazy to set up a proper QoS solution, but would be very interested in a brief summary of what you did.
Being the hack that I am, I whipped up a bash script using ngrep that sniffs the phone calls, pulls out caller ID and outgoing call numbers for syslogging, and can run commands when incoming or outgoing calls occur. I wrote this because I have long running rsync processes that I wanted killed and restarted when a call occurs.
Re:That's all very well but
on
AAC vs. OGG vs. MP3
·
· Score: 2, Interesting
A major stumbling block for Ogg is
that until fairly recently it was necessary to use a floating point
processor to play the format. In the arena of portable devices, only
PDAs have floating point capability, which is why you can play Ogg
files on your Zaurus and not on your iPod. AAC is already supported by
many devices, so Apple has a larger potential market (although at
present only iPods can play the files).
Actually the Zaurus DOESN'T have any floating point
either, the ogg player is all integer. Details can be found in this
ZDNet story.
Uhh, why bother chewing up more bandwith trying to sniff a home connection when you can get it more easily at the ISP source?? Sniffing a ton of data on a home link is FAR from non-detectable!!
Since I run my own mail server making a new aliaes is as simple as editing/etc/aliases and running newaliases, so I often create new aliases for anything I sign up for. I recently posted to slashdot with an account like slashdot_2342s or similar, and within a couple of days got spam directed this email address. It would appear obvious that there ARE/.harvesting spammers out there.
Anybody has some insight of this new
kind of spam?
Well, if the image was on a remote server, then if your mail client loaded remote images when you read the email (many do) then you've just verified that your email address is valid. This is known as
a Web
bug. Web bugs are great for tracking when
people read your emails,as even if they disable return replies, most still allow image loading.
I actually signed up for Vonage earlier
today. The neighbourhood where I live (Avery Ranch) has fiber to all
the homes. A provider called ClearWorks
gave us Digital TV (which sucks more or less), as well as internet
access (say 300K downstream, 100-200K upstream), and phone
service. Apparently Clearworks is having some financial
difficulties, and looks like they are dropping the phone service.
We got a letter the other day saying we had to find a new provider, so
I decided to investigate Vonage.
I actually already have a Cisco
IP phone Cisco IP phone at home that I used for work
(telecommuter), so I know that VoIP works great. My Cisco
ATA box hasn't arrived yet ( this is the box you plug your standard
POTS line into, and plug that into your home network), but even still
we're using our new Vonage server right now by forwarding our (new)
home number to the long distance number (in Canada) we want to
call. I just hung up a few minutes ago and found the
service to be pretty good, although I could notice a slight echo, which
could be related to the phone that I was calling from. Basically
$40/month for unlimited local AND long distance in US/Canada, as well
as a ton of other cool features, like accessing your voice mail over
the web, email notifications w/caller id on new messages, etc. We
should save about $100/month in phone bills, so if I have to, I'll put
up with a little echo:-) Hopefully my ATA box will arrive in the next
couple of days, and hopefully my network connection will survive 2 VoIP
phones online at the same time:-)
"If I have multiple telephones, can a proxy combine two or more 56K connections to get a larger pipe?"
Yes, and it works very well. When I lived in the sticks, and could no longer get ISDN, I got 2 (and 3 at one point) lines and bonded them together using Linux's multi-link PPP driver (which was WAY beta at that point, and not a standard part of the kernel). Using 2 modems I was able to get BETTER than ISDN speeds due to the superior compression availabe in the modems. Sometimes on highly compressable text I could get around 25-30k/sec downloads! Made a big difference for web pages, etc. Don't think using 2 modems will do ANYTHING for you for games though-- ISDN would still be better in this respect.
Actually What to expect when you're expecting, is often NOT recommended by doctors and midwives alike, because it often "scares" women due to the way some things are presented and some of the information given. The rest of the "what to expect" books are ok though.
This must be a troll. An episiotomy is almost ALWAYS totally unnecessary, and is often done because doctors want you to get the kid out quickly-- maybe they have a golf game to catch.
Episiomoties get easily infected, take a long time to heal, are very painful, and should be avoided at all costs.
Tell me, since the dawn of humankind, what percentage of people had episiomoties?
Get a midwife if you can, or at least a doula, as it will make your birth experience MUCH more relaxed, and much less likely to require medical interventation.
Those days were filled with many new "revolutionary" designs like the HP150, DEC Rainbow and others which were destined to fail in a world going DOS.
Actually the Rainbow COULD run DOS. I had one with DOS 2.10 on it. It also ran CP/M of course. I got my Rainbow from a prof at college who was going to throw it out. This was around 1990 or so. I wanted it because it functioned as a dumb terminal (I had a modem plugged into it), and it had the same DEC VT100 type keyboard that I used at school for doing C programming on the VAX. It was great having cut and paste buttons that worked!:-)
The coolest thing though, was that it came with a working 300 baud acoustic coupler modem. I've still got the modem-- great conversation piece, but the machine was long ago junked.
At my (large) company we are Veritas
Netbackup which works well.
At home until recently I had been using one of those rsync/hard link
backup systems with good results (links to that quoted here elsewhere).
I'd been looking for a somewhat simple solution that I could run
on a low end linux box at my kids school to backup 1 linux box and 1 NT
server. After a bunch searching I finally settled on flexbackup because it is
fairly simple, and can use tar in incremental mode, emulating dump's
levels. Since I'm just using tar and bzip2, restores can be done just on
a Windows box. I have it backup the NT box by using the smbfs to
mount it, and then have the backups stored compressed on another
harddisk. After the backups are complete, the system uses (http://www.gnupg.org) to encrypt a
copy of the files, and puts them in a "pickup" directory. After that,
the system sends a signal to a couple of home boxes via http/syslog,
upon which the home boxes use rsync to copy those files down over
peoples cable modems.
While this solution is obviously only useful for small amounts of data
(the downloading to home part), it does allow for secure offsite
backups, and even the home backup machines cannot decrypt the data
because they don't have the required private key.
The home backup box doesn't have any access to the school server
other than the ability to do rsync's, as I'm using a ssh/rsync
"forced-command" setup, so even if the home boxes are rooted they cannot
get back into the school.
I've started using flexbackup on my home network as well, and it works
great, although I wish it had the ability to push the tar files across
a SSH connection (it CAN run dump/etc over SSH, but I just want tar
backups of files dumped over the ssh connection).
I hadn't see backuppc
yet though, and it looks pretty good, and looks like it could easily
work in a small replicated environment.
..BTW, with my "fiber" connection I get (only) 250-300K/sec downloads, although I get ~120-150K/sec uploads. When I had Road Runner I had much faster downloads, but uploads were only around 40-45K/second. For most people that's not an issue, but I work from home and use an IP phone, which can easily use >29K/s upstream.
I too live in Austin, and have a connection via Eagle. I have a fixed IP from them (as they NAT upstream so without it I couldn't run any services at all). The people I spoke with specifically spoke about some people requiring a static IP to use VPN to work, and they didn't have any problems with it AFAIK. And what's up with the news service?? They require authentication now?? What password??
Slashdot Mirror
Where I work (a LARGE networking company that makes all kinds of networking hardware) a co-worker and I created multiple parallel SSH tools which enable you to run hundreds to thousands of concurrent outgoing sessions, depending on hardware. We have not yet had the cycles to look into open sourcing it, but hope to.
:-) ) . The only way to do this (other than having some type of expect type program typing in the passphrase for you) is to use the ssh-agent. The problem with the ssh-agent is that is simply does not have the ability to authenticate more than say 20+ ssh sessions as once (depending on machine load, etc). What happens when too many ssh sessions attempt to authenticate against the ssh-agent is that you get many authentication failures due to timeouts. There are some hacks you can do to the ssh source code that will increase the number of times ssh will attempt to contact the agent, as well as the delay between attempts. We've done these hacks, but they still were nowhere near enough.
:-)
I can share the basics of it here though, which should enable somebody else to easily build their own. On a day to day basis we needed to be able to run commands on 10,000+ Solaris and Linux boxes, and wanted to use SSH key authentication, but not keys with a null passphrase (as if the private key was stolen, major security implications present themselves
The solution instead is to use MULTIPLE ssh-agents, and load balance between them. We wrote a tool that will prompt for our key passphrase and then load say 100 ssh-agents with that key loaded. When it starts the agents it records the variables SSH_AUTH_SOCK and SSH_AGENT_PID for each agent in a single file. We then have shell scripts wrapped around ssh commands that just randomly pick an agent to connect to, effectively load balancing.
We run this whole thing on an OpenMosix cluster, which allows the ssh-agents and ssh processes to migrate across the machines once they start to use too much CPU time on their current node. We've found that Linux boxes seem to be much faster for SSH operations than Solaris (sparc) boxes, BTW.
We have also written a parallel ssh tool that works similarly to others discussed here (and others NOT discussed here, like Ed Hill's clsh which in a previous life I used extensively), except our tool has a couple of other major features which (IMHO) are required in an enterprise environment. The biggest thing that we've found is that when working on boxes in the far reaches of the world, we cannot assume that any common group of NFS mounts will exist, or work properly when we need them to. If you cannot be sure what remote mounts are available, how can you run scripts on the remote box? This prompted us to make our program have the ability to both run perl code directly fed to it, as well as (basically) remotely deliver scripts for running and delete them afterwards. So if we've written an administrative script called foo.sh, our tool will basically pipe the script across a SSH session to the remote end and run it, usually never having to touch the remote disk at all. This is VERY useful because when talking about 10k+ boxes, many of which are desktops, you can never be sure which partitions will be full.
Using our parallel ssh tool, along with the ssh-agent load balancing and a 3 node OpenMosix cluster we've been able to run 1000 outgoing ssh sessions without issues. This means if you want to change root passwords on 10k boxes it only takes slightly longer than changing passwords on 10 boxes. A real time saver, to say the least
Comments anyone?
BTW, is anybody using any hacks of OpenSSH to work similarly to sudo for giving out root access?
As for the CPU? The last time we had an application where the bottleneck was a sun CPU was well.. right now, actually - try anything with encryption and tell me a quad box with the fastest hyper-threading XEON's are slower than any quad-processor Sun. And at a quarter the price. ..see it ALL the time. With chip simulation software. When you have simulations that can run for DAYS before finding a bug, fixing the bug, and restarting the simulation, CPU speed REALLY matters. ..of course, sometimes these simulations require a 64 bit address space..
Yes, this was VERY annoying, and I ended up pulling out the damn "firewall" my kids school was using and replacing it with something a little more ssh friendly. I couldn't find anything about this problem anywhere except on some (non-linksys) mailing lists either.
After listing the contents once the directory should be buffered making subsequent listings faster.
What are you talking about? This makes a remote filesystem appear local, and all local commands work accordingly (i.e. edit a file, play an mp3, etc). With sftp you'd have to sftp a file down to do an operation on it, and then sftp it back up again afterwards, etc/
I've used lufs with the sshfs and it works great, I've even done compiles on a remote filesystem this way-- you simply cannot do that using just sftp/scp.
Speaking of altq-- I'm having issues where if I set port 22 traffic to go into a SSH queue, interactive ssh traffic is fine, but scp's and rsync over ssh hangs after a few K of trafic. Anybody seen this before?
Hehe, I used to basically LIVE in the market, at least at night :-)
Ah, those were the days, living at 170 Lees.... what an experience!
Hey San, long time no see! (last time I saw ya was when? In SF that time??)
Do yo have an encoding program that will actaully break up the encoding to work on multiple CPUs? If not, you'll gain nothing.
Mosix works like a big SMP box, no special code is required, so you just fork and forget.
I too use Vonage, and have been a little to lazy to set up a proper QoS solution, but would be very interested in a brief summary of what you did.
Being the hack that I am, I whipped up a bash script using ngrep that sniffs the phone calls, pulls out caller ID and outgoing call numbers for syslogging, and can run commands when incoming or outgoing calls occur. I wrote this because I have long running rsync processes that I wanted killed and restarted when a call occurs.
My script:
watchp
A major stumbling block for Ogg is that until fairly recently it was necessary to use a floating point processor to play the format. In the arena of portable devices, only PDAs have floating point capability, which is why you can play Ogg files on your Zaurus and not on your iPod. AAC is already supported by many devices, so Apple has a larger potential market (although at present only iPods can play the files).
Actually the Zaurus DOESN'T have any floating point either, the ogg player is all integer. Details can be found in this ZDNet story.
Uhh, why bother chewing up more bandwith trying to sniff a home connection when you can get it more easily at the ISP source?? Sniffing a ton of data on a home link is FAR from non-detectable!!
As Prong once said, "I beg to differ".
/etc/aliases and running newaliases, so I often create new aliases for anything I sign up for. I recently posted to slashdot with an account like slashdot_2342s or similar, and within a couple of days got spam directed this email address. It would appear obvious that there ARE /.harvesting spammers out there.
Since I run my own mail server making a new aliaes is as simple as editing
Anybody has some insight of this new kind of spam?
Well, if the image was on a remote server, then if your mail client loaded remote images when you read the email (many do) then you've just verified that your email address is valid. This is known as a Web bug. Web bugs are great for tracking when people read your emails,as even if they disable return replies, most still allow image loading.
Disable remote image loading in emails!
I actually signed up for Vonage earlier today. The neighbourhood where I live (Avery Ranch) has fiber to all the homes. A provider called ClearWorks gave us Digital TV (which sucks more or less), as well as internet access (say 300K downstream, 100-200K upstream), and phone service. Apparently Clearworks is having some financial difficulties, and looks like they are dropping the phone service. We got a letter the other day saying we had to find a new provider, so I decided to investigate Vonage.
I actually already have a Cisco IP phone Cisco IP phone at home that I used for work (telecommuter), so I know that VoIP works great. My Cisco ATA box hasn't arrived yet ( this is the box you plug your standard POTS line into, and plug that into your home network), but even still we're using our new Vonage server right now by forwarding our (new) home number to the long distance number (in Canada) we want to call. I just hung up a few minutes ago and found the service to be pretty good, although I could notice a slight echo, which could be related to the phone that I was calling from. Basically $40/month for unlimited local AND long distance in US/Canada, as well as a ton of other cool features, like accessing your voice mail over the web, email notifications w/caller id on new messages, etc. We should save about $100/month in phone bills, so if I have to, I'll put up with a little echo
How about Gnomemeeting?
Seems to work well, assuming you have your sound card set up to do full
duplex audio correctly.
Should be able to talk to this device no sweat as well.
"If I have multiple telephones, can a proxy combine two or more 56K connections to get a larger pipe?"
Yes, and it works very well. When I lived in the sticks, and could no longer get ISDN, I got 2 (and 3 at one point) lines and bonded them together using Linux's multi-link PPP driver (which was WAY beta at that point, and not a standard part of the kernel).
Using 2 modems I was able to get BETTER than ISDN speeds due to the superior compression availabe in the modems. Sometimes on highly compressable text I could get around 25-30k/sec downloads! Made a big difference for web pages, etc.
Don't think using 2 modems will do ANYTHING for you for games though-- ISDN would still be better in this respect.
Actually What to expect when you're expecting, is often NOT recommended by doctors and midwives alike, because it often "scares" women due to the way some things are presented and some of the information given. The rest of the "what to expect" books are ok though.
This must be a troll. An episiotomy is almost ALWAYS totally unnecessary, and is often done because doctors want you to get the kid out quickly-- maybe they have a golf game to catch.
Episiomoties get easily infected, take a long time to heal, are very painful, and should be avoided at all costs.
Tell me, since the dawn of humankind, what percentage of people had episiomoties?
Get a midwife if you can, or at least a doula, as it will make your birth experience MUCH more relaxed, and much less likely to require medical interventation.
VCD is MPEG-1, not MPEG-2!
I've just started saving the stream now (via xmms).
I assume SOMEBODY will have the complete sessions available somewhere? Anybody??
It CAN support ACL's, with one several patches: grsecurity
which includes PaX.
Check it out!
Those days were filled with many new "revolutionary" designs like the HP150, DEC Rainbow and others which were destined to fail in a world going DOS.
Actually the Rainbow COULD run DOS. I had one with DOS 2.10 on it. It also ran CP/M of course.
I got my Rainbow from a prof at college who was going to throw it out. This was around 1990 or so. I wanted it because it functioned as a dumb terminal (I had a modem plugged into it), and it had the same DEC VT100 type keyboard that I used at school for doing C programming on the VAX. It was great having cut and paste buttons that worked!
The coolest thing though, was that it came with a working 300 baud acoustic coupler modem. I've still got the modem-- great conversation piece, but the machine was long ago junked.
At my (large) company we are Veritas Netbackup which works well.
At home until recently I had been using one of those rsync/hard link backup systems with good results (links to that quoted here elsewhere).
I'd been looking for a somewhat simple solution that I could run on a low end linux box at my kids school to backup 1 linux box and 1 NT server. After a bunch searching I finally settled on flexbackup because it is fairly simple, and can use tar in incremental mode, emulating dump's levels. Since I'm just using tar and bzip2, restores can be done just on a Windows box. I have it backup the NT box by using the smbfs to mount it, and then have the backups stored compressed on another harddisk. After the backups are complete, the system uses (http://www.gnupg.org) to encrypt a copy of the files, and puts them in a "pickup" directory. After that, the system sends a signal to a couple of home boxes via http/syslog, upon which the home boxes use rsync to copy those files down over peoples cable modems.
While this solution is obviously only useful for small amounts of data (the downloading to home part), it does allow for secure offsite backups, and even the home backup machines cannot decrypt the data because they don't have the required private key.
The home backup box doesn't have any access to the school server other than the ability to do rsync's, as I'm using a ssh/rsync "forced-command" setup, so even if the home boxes are rooted they cannot get back into the school.
I've started using flexbackup on my home network as well, and it works great, although I wish it had the ability to push the tar files across a SSH connection (it CAN run dump/etc over SSH, but I just want tar backups of files dumped over the ssh connection).
I hadn't see backuppc yet though, and it looks pretty good, and looks like it could easily work in a small replicated environment.
..BTW, with my "fiber" connection I get (only) 250-300K/sec downloads, although I get ~120-150K/sec uploads. When I had Road Runner I had much faster downloads, but uploads were only around 40-45K/second. For most people that's not an issue, but I work from home and use an IP phone, which can easily use >29K/s upstream.
I too live in Austin, and have a connection via Eagle. I have a fixed IP from them (as they NAT upstream so without it I couldn't run any services at all). The people I spoke with specifically spoke about some people requiring a static IP to use VPN to work, and they didn't have any problems with it AFAIK.
And what's up with the news service?? They require authentication now?? What password??