EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Scalability question

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#7649
Posted: 09/18/2008 14:35:06
by Vladimir Giszpenc (Basic support level)
Joined: 09/18/2008
Posts: 9

Hi,

I am considering SBSSHClient and have a few questions:

I wan to connect to many (what is my limit?) hosts simultaneously and start issuing commands and capturing results. I would connect to each host on a separate thread so if statics are used is it all thread safe?

How well does the client scale?
For long running commands, do you get back your result in chunks? If so, is there a way to know I am done (Do I need to know what the prompt is and look for it?
If bad packets are resent, is the whole output of the command resent?
Are there plans to add support for SecureString for passwords?
Can you interrupt a connection gracefully?
Does the PKI stuff support PKCS#11 i.e. smart cards? Does it have drivers that work on Linux?

Thanks!

Vlad
#7650
Posted: 09/18/2008 15:07:16
by Eugene Mayevski (EldoS Corp.)

Quote
Vladimir Giszpenc wrote:
I wan to connect to many (what is my limit?) hosts simultaneously and start issuing commands and capturing results. I would connect to each host on a separate thread so if statics are used is it all thread safe?


Each ElSSHClient object serves only one remote connection. If you want to connect to 100 hosts, you must use 100 objects.

Quote
Vladimir Giszpenc wrote:
For long running commands, do you get back your result in chunks?


Yes.

Quote
Vladimir Giszpenc wrote:
If so, is there a way to know I am done (Do I need to know what the prompt is and look for it?


If you are using shell channel (i.e. the one with a prompt) then you need to parse reply for a prompt. If you are using command channel, you get the data within the channel and then the channel is closed (and you are notified via the event).

Quote
Vladimir Giszpenc wrote:
If bad packets are resent, is the whole output of the command resent?


What do you mean by "bad packet"? If the SSH packet is altered on the way, communication is broken. There's no reliable way to recover from this situation. So you would need to reconnect and reissue the command. However, the SSH packet can be altered in only two ways - (a) someone in the middle has attempted to break into communication, (b) some router on the way spoils the data which is transferred via this router. Both cases require operator attention.

Quote
Vladimir Giszpenc wrote:
Are there plans to add support for SecureString for passwords?


Yes, such plans exist, but changing the whole code for a very minor security achievement is not something that can have priority.


Quote
Vladimir Giszpenc wrote:
Can you interrupt a connection gracefully?


yes.

Quote
Vladimir Giszpenc wrote:
Does the PKI stuff support PKCS#11 i.e. smart cards?


PKCS#11 doesn't define ways to store SSH keys (I am saying about SSH keys, not RSA or DSA keypairs). It provides built-in support only for X.509 certificates. We do support X.509 certificates as authentication method in SSH but I can't say at the moment, how well SSH components work with certificates accessed via PKCS#11 or WinCrypto. The developer will answer in more details.


Sincerely yours
Eugene Mayevski
#7743
Posted: 09/29/2008 09:59:21
by Vladimir Giszpenc (Basic support level)
Joined: 09/18/2008
Posts: 9

our immediate response and the quality thereof were outstanding. So far I am sold (I will now try to play with your product).

I would like to use the command channel to send commands piece meal.

open connection
loop
send a command
process results
repeat
close connection

Is this possible?

Another thing that may be difficult is to ssh as one user and promote to root (su). This is required for hardened machines that do not allow root login over SSH.

Quote

If you want to connect to 100 hosts, you must use 100 objects.

Do you impose a limit to the number of concurrent SSH connections? Does a network card or the kernel (OS) impose a limit? You seem to know this space more than I do and I want to be able to do as much in parallel as possible.

Thank you so much for your help!

Vlad
#7745
Posted: 09/29/2008 11:05:34
by Ken Ivanov (EldoS Corp.)

Quote
I would like to use the command channel to send commands piece meal... Is this possible?

Yes. There are two possible ways to do this, the easy one and the flexible one. An easy way is to add all the needed commands to the TElSimpleSSHClient.Commands list and then call its Open() method. TElSimpleSSHClient will execute all the supplied commands consequently. The lack of this approach is that you should know the exact list of commands before connection to server is made.

The flexible way is to use low-level SSH components, such as TElSSHClient, TElCommandSSHTunnel and TElSSHTunnelList. These classes allow to create as many logical tunnels as needed and whenever needed in session runtime.

Quote
Another thing that may be difficult is to ssh as one user and promote to root (su). This is required for hardened machines that do not allow root login over SSH.

SSH itself does not provide means for switching the authenticated user, so one should use the instruments provided by the remote operating system such as 'sudo' or 'su' commands.

#7746
Posted: 09/29/2008 11:07:51
by Eugene Mayevski (EldoS Corp.)

Quote
Vladimir Giszpenc wrote:
Do you impose a limit to the number of concurrent SSH connections?


Each SSH connection takes one socket connection. While there's no known limit for the number of connections, I heard about 10 000 of sockets being the maximal number which has been reached on WinXP.


Sincerely yours
Eugene Mayevski
#7782
Posted: 10/02/2008 10:10:35
by Vladimir Giszpenc (Basic support level)
Joined: 09/18/2008
Posts: 9

Hi,

Thanks as always for your expert and prompt responses.

I am trying to use SecureBlackBox.SSHClient to connect to a host and send a bunch of commands that will differ depending on results of previous commands.

I am following the example in the SophisticatedSSHClient. The sample works great! Even on Linux (GUI and all thanks to Mono)!!!

The sample uses the ElShellSSHTunnel and I would prefer to use ElCommandSSHTunnel as you suggested above.

My problem is that I don't want to set the list of commands up front using tunnel.Command property. I am looking for something analogous to
Code
tunnelConnection.SendData(buf);

to send commands piece meal once the connection is established.
What am I missing? How do I delay sending commands to the time when I see fit?

My second issue has to deal with capturing standard error.
If I send the command
Code
echo err 1>&2

I would expect to get the result OnError but it comes back OnData.
What should I do to distinguish stderr from stdout?

I can send my code if it helps.

Thanks,

Vlad
#7783
Posted: 10/02/2008 10:57:01
by Ken Ivanov (EldoS Corp.)

Quote
My problem is that I don't want to set the list of commands up front using tunnel.Command property.

You should use several TElCommandSSHTunnel objects, each one corresponding to a particular executed command. When the first command is finished, create new instance of TElCommandSSHTunnel and bind it to TElSSHClient via TElSSHTunnelList object. Then set its Command property and call the Open() method. When the second command is over, create new TElCommandSSHTunnel for the third command and so on.

Actually, you can reuse the same TElCommandSSHTunnel instance, changing the Command property and calling Open() method afer it.

Remember to set TElSSHClient.CloseIfNoActiveTunnels property to false to make the tunnels work in described way.

Quote
My second issue has to deal with capturing standard error.

Standard error data is returned via OnExtendedData event, not OnError. Please handle OnExtendedData and check if the data are there.
#7784
Posted: 10/02/2008 12:23:38
by Vladimir Giszpenc (Basic support level)
Joined: 09/18/2008
Posts: 9

The separate tunnel.Open() per command is working great.

Quote

Standard error data is returned via OnExtendedData event, not OnError. Please handle OnExtendedData and check if the data are there.


The stderr is not working (it is coming back through OnData().

Note: I do not control the server side. It is a regular OpenSSH linux sever.
#7785
Posted: 10/02/2008 13:03:43
by Vladimir Giszpenc (Basic support level)
Joined: 09/18/2008
Posts: 9

the other question that I still have is how to deal with subshells.

here is a test I would like to do

connect to host as vgiszpenc
run whoami
get vgiszpenc
run su
get password:
send password <-- not sure how to do this
run whoami
get root

How do I send the password without it being interpreted as a command and allowing me to keep the promoted state?

I use the term subshell above because sending the "(" command is similar to the example I give above and should have a similar solution. I guess I am looking for expect type functionality. Your hints have been great so far so hopefully that should be all I need. I can't begin to tell you how impressed I am with the level of support for this product.

Thanks,

Vlad
#7800
Posted: 10/03/2008 09:35:01
by Ken Ivanov (EldoS Corp.)

Quote
The stderr is not working (it is coming back through OnData().

Please try to set TElCommandSSHTunnel.RequestTerminal property to false and check if it helps. Some OpenSSH servers incorrectly handle command channels which request pseudo terminals.

Quote
the other question that I still have is how to deal with subshells.

The executed command can interact with remote user. I.e. you can open a command channel and then send data to the created connection. In your particular case the log of the 'su' command will look in the following way:
1) Open the 'su' command channel,
2) OnData fires returning the 'Password:' line,
3) Request a password from user and send it to the logical connection using its SendData/SendText method.

Quote
How do I send the password without it being interpreted as a command and allowing me to keep the promoted state?

Keeping the promoted state is a very interesting question. The answer to it depends on the particular server implementation. We have never tried running 'su' in such way, so, unfortunately, we cannot assume the behaviour that OpenSSH will expose.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 7471 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!