lsh-bugs

lsh-bugs@lists.lysator.liu.se

491 discussions

Re: TCP_NODELAY
by nisse＠lysator.liu.se 11 Aug '03

11 Aug '03

Ok, this is a little embarassing... As some of you probably have noticed, I managed to get vacation set up wrong, and I've had some mail bounces. And the funny part is that mailman decided I shouldn't get any more lsh-bugs mail. Anyway, I've now reenabled mail delivery, and I have read the TCP_NDELAY discussion in the mail archive. I'm not terribly familiar with Nagle, but I have some comments: 1. When having an interacting session, and sending two keystrokes "X" and "Y", one may end up with loads of IP packets: Client Server ---> "X" First keystroke (a) <--- TCP ACK Ack of the data (b) <--- SSH ADJ SSH_MSG_WINDOW_ADJUST (c) ---> TCP ACK Ack of above message (d) <--- "X" The server pty echoes the data (e) ---> TCP ACK Ack of the echoed data (f) ---> SSH_ADJ SSH_MSG_WINDOW_ADJUST (g) <--- TCP ACK Ack of the above message. (h) ---> "Y" Next keystroke (i) ... Etc Then TCP uses extra delays to try to get the acks and echoes into fewer IP packets, in order to waste less bandwidth. In general, that seems like a good thing to do, and ideally, (b), (c) and (e) should get lumped together into one IP packet, and so should (d), (f), (g) and (i). 2. I'm not sure which part of this trick is the "Nagle algorithm" , and disabled, and I'm not sure in which direction it is most important. To optimize this, one would need to look at some packet traces. 3. I'm not personally experiencing any lagginess, but perhaps I'm too tolerant, or use a too fast network (I don't use anything slower than adsl on a daily basis. At the moment, I'm typing over an interactive lsh/lshd connection over a 9 hop network, 10MB at my end point, and a 10ms roundtrip time). But I'm sure this is system and IP-stack dependent, so I'll be happy to add TCP_NDELAY call, if that helps for other people. 4. There's also one additional source of small delays in lsh: When setting the client tty into raw mode, lsh fiddles with the VMIN and VTIME values (exactly if and how has varied a little between versions). The intent is that if you type reasonably fast, there should not be a simple one-to-one correspondence between keystrokes and IP-packets, to make it a little harder for an eavesdropper to observe your typing pattern. Again, some packet traces would help to determine if this really works well. The code is in unix_interact.c: static struct terminal_attributes * do_make_raw(struct terminal_attributes *s) { CAST(unix_termios, self, s); CLONED(unix_termios, res, self); CFMAKERAW(&res->ios); /* Modify VMIN and VTIME, to save some bandwidth and make traffic * analysis of interactive sessions a little harder. */ res->ios.c_cc[VMIN] = 4; /* Inter-character timer, in units of 0.1s */ res->ios.c_cc[VTIME] = 1; return &res->super; } This should result in an extra delay of MAX(0.1s, 3 * your intertyping time). I'd be happy for corrections to this description, as well as experiments with changed TCP and TTY options. The patch that adds an setsockopt(..., TCP_NODELAY) to io.c:io_connect seems to hack at the right place for the client. There should probably be configurable so that it is used only when running under a tty. For the server side of things, the corresponding funtion seems to be io.c:do_listen_callback. As some noticed, after editing io.c, the Makefile will want to recreate io.c.x, which will fail if you don't have guile or scsh installed. For these changes, it should be safe to just touch io.c.x to convince make that it is up-to-date. Best regards, /Niels

2 1

GSS support?
by Simon Josefsson 10 Aug '03

10 Aug '03

Anyone interested in working on adding GSS-API authentication a'la http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt to lsh? I'm currently working on my own GSS library (see <http://josefsson.org/gss/>) and while far from finished, it can now talk to other clients/servers via GSASL or Mailutils. I'd imagine adding the GSS support to lsh would stress test more stuff in the GSS library, so it looks like a good next step for me. However, as I'm not familiar with lsh (the gc stuff make it look a bit complex) I would appreciate if someone else did the lsh part of the work :-) or at least had an opinion on if doing this is feasible without becoming a lsh guru. Is there some major component missing from lsh that would be needed before the GSS auth/kex idea can be implemented? (Of course, once written, it will work with other GSS implementations too, like MIT Kerberos 5, Heimdal, Sun, Globus etc.) Thanks, Simon

4 17

TCP_NODELAY ?
by Pete Naylor 08 Aug '03

08 Aug '03

I'm noticing that lsh seems terribly laggy when used for an interactive shell. Looking at the source I don't see the TCP_NODELAY socket option set anywhere. Perhaps this could be added (possibly only for an interactive shell if that can be determined) ? I did try to add it to the setsockopt call in io.c myself to see if it'd help, but for whatever reason it doesn't want to build after I make any edits - something to do with the abstraction stuff I guess. -- Pete Naylor

3 4

SYGNET Walk & Talk
by Sygnet Technologies 31 Jul '03

31 Jul '03

For more information about SYGNET's Walk & Talk please contact: info(a)sygnet-tech.com If this message has reached you in error or you would like to be taken off our mailing list, please click on the following link: unsubscribe(a)sygnet-tech.com, please include "Unsubscribe" in the subject line.

1 0

政府邀请函
by 政府信息化办公室 30 Jul '03

30 Jul '03

尊敬的各位朋友：山东省是中国经济最发达的地区，也是最大的IT产品市场之一，每年有1000亿元的市场采购，是中国北方地区最大（北京除外）的区域市场。为了发展你们的事业，获得更多的市场机会，我们热情邀请您参加'2003中国国际信息技术博览会暨城市信息化市长论坛。中国国际信息技术博览会（ITEXPO）是山东省规模最大、效果最好，也是唯一由政府主办和承办的IT盛会。该会以观众层次高、展览效果好、服务体贴周到而闻名遐迩，成为众多IT企业进军齐鲁大地的首要选择。IBM、CISCO、HP、MICROSOFT、西门子、爱立信、诺基亚等世界著名IT跨国集团和华为、联想、方正、神州数码、浪潮等国内IT知名企业均通过参加展览，顺利打开山东市场。ITEXPO自从1999年开展以来，已经有70万观众参观，达成交易上百亿元。 2003年山东省各行业、各部门、各企业全面加大信息化投资力度，并在本届展会上选择合作单位，请抓住这个宝贵的机会，到济南开辟更大的事业！中国国际信息技术博览会诚邀 2003、7、28 时间： 2003年10月16日――10月19日（周四--周日）大会组委会设在济南市人民政府信息化办公室地址：[250001]济南市纬二路182号济南市人民政府信息化办公室电话：86-531-2075611 传真：86-531-2075606 手机：13505410459 联系人：路晨曦由于展位特别紧张，请火速预订。详细资料可来电索取。 http://www.ITexpo.com.cn http://www.jn.gov.cn mailto:itexpo@jn.gov.cn

1 0

政府邀请函
by 政府信息化办公室 30 Jul '03

30 Jul '03

1 0

PARCELAS PUNTA DE CHOROS O $2.000.000 SOLO JULIO Consulte Facilidades
by Tu Tierra 18 Jul '03

18 Jul '03

OFERTA DE INVIERNO PARCELAS PUNTA DE CHOROS CHILE VALOR PARCELA $2.000.000 CHILE CHILE A solo 120 km al norte de La Serena Parcelas de 5075 m2 Fono 09-7979918 -51-311479 Un Entorno Privilegiado de Flora y Fauna A Minutos de la Caleta de Punta de Choros Escritura Inmediata www.tutierra.cl A 2500 Metros de la Playa Grande www.tutierra.cl PROMOCIÓN VENTA DE INVIERNO VALOR PARCELA $2.000.000 USTED DEFINE EL PIE DIFERENCIA 15 CHEQUES TOME SU CUPO OFERTA HASTA EL 31 DE JULIO FORMULARIO DE CONSULTAS AL CONSULTAR RECIBIRÁ TODA LA INFORMACIÓN DEL LOTEO, FOTOGRAFÍAS ANTECEDENTES LEGALES, EMPLAZAMIENTO, UBICACIÓN Y ANTECEDENTES GENERALES PARCELAS DE AGRADO PUNTA DE CHOROS WWW.TUTIERRA.CL VENTA(a)TUTIERRA.CL 09-7979918 SI NO DESEA RECIBIR MAS INFORMACIÓN COMUNIQUESE A ESTE MAIL no deseo recibir mas información (Nota: la legislación chilena no contempla el envío de publicidad por correo electrónico. Respetamos la normativa internacional que establece que ningún e-mail puede considerarse SPAM si se le estipula a las personas instrucciones precisas de como removerse de esta lista

1 0

Nossos Melhores Cumprimentos lsh-bugs
by Qualysoft 17 Jul '03

17 Jul '03

1 0

I NEED YOUR HELP
by lrena_kovac＠themail.com 04 Jul '03

04 Jul '03

Sir, My name is Mrs. Irena Kovac and i need your assistance.I am the widow of Miodrag Kovac, former Yugoslav Minister of Health. My husband died on April 12 2002.After his death the government seized our properties and froze our accounts and try to kill us so will now move to Ghana were we are be secking refugee camp,things have been so bad.But i recently discovered that my husband deposited about US$26 million dollars in a safe place outside my country.I am unable to claim these funds myself because of travel restrictions which have been placed on me.I need your assistance to claim this funds and secure them so that i take my family away from the oppression that we now face.In return for your assistance i am willing to give you portion of the money,i am open for reasonable negotiation on this.I will give details and proof after i hear from you.Please keep this confidential as the future of my family depends on this.I hope to hear from you soon please contact me with this e-mail ( lrena_em(a)yahoo.co.uk) also send me your telephone number so that i can tell you more details. Mrs. Irena Kovac

1 0

Re: GSS support?
by Simon Josefsson 01 Jul '03

01 Jul '03

(Responding to the list since this seems like a interesting issue.) nisse(a)lysator.liu.se (Niels Möller) writes: >> Oops, I didn't think of this. OK, it seems fairly clear that GSS >> should be invoked from a different process, which communicate with the >> lsh core using some protocol, then. Still, since kerberos 5 GSS >> mechanism is fast, this is probably not a show-stopper. I think I'll >> leave this as an exercise. > > As long as the servers contacted are *not* of the user's/client's > choice, it may be ok. For the Kerberos 5 GSS mechanism, the server doesn't talk to the network, at least my K5 implementation doesn't. But in general, there is no such guarantee, and GSS_Accept_sec_context is even specifically allowed to block: This call may block pending network interactions for those mech_types in which a directory service or other network entity must be consulted on behalf of a context acceptor in order to validate a received input_token. > Is there any chance of an non-blocking variant of the gss-api? Generally speaking, that is up to the IETF. Searching for "block" in the RFCs suggest people haven't thought about this. Which is symptomatic of many things in GSS; I'll add this problem to my Criticism of GSS section. It may be possible to support a new extension flag to request only non-blocking mechanisms, but existing GSS libraries wouldn't support it. I'll think about adding this for my GSS library. > It's often painful to write proper select-loop based programs, > because various libraries one want to use are blocking. Most common > example is gethostbyname, select-loop based programs have to either > not use DNS, or fork a separate process for DNS lookups, or use some > non-blocking resolver library, like adns. It would be nice with some > adns-like interface to gss-api or directly to kerberos, but I'm not > aware of any work in that direction. Neither am I. It sounds like it would be possible to implement this in a wrapper library though, a'la handle = START(gss_accept_sec_context(...)) gss_call_started = now() do select loop if FINISHED(handle) maj_stat = FINISH(handle) continue GSS operation... if gss_call_started < now() - 10000 ABORT(handle) send gss error... The START function would start the operation in another process, FINISHED would check if the function call has finished, and FINISH would clean up the operation and return the function value, and ABORT would cleanup the operation without caring about the return value. There could be some tricky issues -- e.g., what if you call ABORT and the process later do return something useful, then the GSS state is probably in an undefined state from the application's point of view -- but it doesn't look infeasible. It could perhaps even be implemted as a meta-gss library, similar to adns. Hm. OTOH, I recall you mentioned LSH might support a separated process style authentication in the future anyway, so then the GSS calls can be moved to that second process. This would probably be simpler. It would also simplify binary packaging -- only the second process need to be different for GSS, the core lshd is the same. Regards, Simon

1 0

← Newer
1
...
42
43
44
45
46
47
48
49
50
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

lsh-bugs