Speeding up SSH (ControlMaster)

Posted by Nico Golde in
Tuesday, January 23. 2007

Nearly two years passed and there are still people out there who don't know 'ControlMaster' which was introduced in OpenSSH 4.0.

ControlMaster is set to no by default.
To quote man 5 ssh_config:

Enables the sharing of multiple sessions over a single network
connection. When set to ``yes'' ssh will listen for connections
on a control socket specified using the ControlPath argument.
Additional sessions can connect to this socket using the same
ControlPath with ControlMaster set to ``no'' (the default).
These sessions will try to reuse the master instance's network
connection rather than initiating new ones, but will fall back to
connecting normally if the control socket does not exist, or is
not listening.

Setting this to ``ask'' will cause ssh to listen for control con-
nections, but require confirmation using the SSH_ASKPASS program
before they are accepted (see ssh-add(1) for details). If the
ControlPath can not be opened, ssh will continue without connecting
to a master instance.

This is pretty useful. Set ControlMaster to 'auto' (or autoask) if you want to use an existing socket, create a new one if you can't connect to an existing socket or there is none existing.

This has the nice (depends on how paranoit you are) side effect that you gain speed and if you login via password
on a server, you don't have to type your password every while you login because you can use
an already authenticated socket.

cat >> ~/.ssh/config << EOF
Host *
ControlPath ~/.ssh/master-%r@%h:%p
ControlMaster auto
EOF

Be sure to check the permissions of the ControlPath so noone else can use your existing socket.

Comments (3) - Trackbacks (0)

Defined tags for this entry: config, network, ssh

Related entries by tags:

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

So this speeds up login multiple times?
What's the advantage over 'just' using passwordless key authentication?

#1 blindcoder (Homepage) on 2007-01-24 07:43 (Reply)

yes speed since you dont have the tcp connect overhead every connection

#2 nion on 2007-01-24 11:26 (Reply)

Permissions: it should be enough to set ~/.ssh (or ~/.etc/ssh, on MirBSD) to 0700 ― MirBSD default is ~/.etc is 0700, so that matches; pristine OpenSSH refuses to work if ~/.ssh is not 0700, so that also matches.

ControlMaster: set it to "no" and use "ssh -fNM " to initiate the master connection manually. Otherwise, if you have two terminals, run "ssh " on the first, then on the second, then quit it on the first, the terminal will be occupied by the ssh process until you quit it on the second as well. This is mostly annoying and contra-productive, especially with mc (ssh over commandline, fishfs), sshfs, etc.

ControlPath: Be sure to append the "Host *" match at the VERY END of the file, so that you can override it in any entries placed before it (ssh_config(5) is last-match). For instance, if you have two aliases for the same host (say, "Host herch\n Hostname 192.168.x.y" and "Host hercv\n Hostname herc.vpn.xxx"), you want them to share a ControlPath, not use different ones.

Advantage: you do not only not have the tcp connect overhead, but also the cryptographic overhead. This is especially good if one of the two boxen is slow. It also makes cvs-over-ssh (which is the One True Way™ to use cvs, unless you mirror the repo locally, which again is a good idea anyway for everything except cvs ci) a really nice experience, as commands are done almost instantly.

Passwordless keys: bad bad bad. If you must, try to use ssh-agent and password-protected keys instead. Really. (There's even ssh agent forwarding, for the adventurous.)

I have small scripts "m_0" and "m_1" which kill or create a master connection with/and a pidfile (using ctl. and pid., respectively).

#3 mirabilos (Homepage) on 2008-12-11 16:00 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. You can use [geshi lang=lang_name [,ln={y\|n}]][/geshi] tags to embed source code snippets. E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: You can use [geshi lang=lang_name [,ln={y\|n}]][/geshi] tags to embed source code snippets.
	Remember Information?