Binaries:
We now have binaries for HPN-SSH. Currently just rpms but you'll find them under the RPMS folder. Debian packages are coming soon. Patches, are available but they're not as current at getting the repo from https://github.com/rapier1/openssh-portable
Binary packages used to be drop in replacement for existing packages. That meant that they would overwrite existing installation. This turned out to be what one might call suboptimal. This has been changed in recent packages and HPN-SSH will now install into /opt/hpnssh. This means that to access ssh, scp, and so forth you either need to use the full path (e.g. /opt/hpnssh/usr/bin/ssh) or updating your PATH environment variable to point to the installation location *before* /usr/bin. The service starts, by default, on port 2222 but this can be modified in the sshd_config file. I do recommend testing HPN-SSH throughly and *then* making it the default ssh provider. Eventually I'll come up with a shell script to swap over the system default to and from HPN-SSH.
Important News:
Versions 14v15 for OpenSSH 7.6 through version 14v18 for OpenSSH 7.8 had bug in the multithreaded AES-CTR code that would cause occasional hangs. We believe we've identified and fixed this problem. If you run into any issues please contact at hpn-ssh@psc.edu. We can't fix problems we don't know about so we are counting on you.
Contact us:
I have no idea who is using HPN-SSH and I'd really like to know. If you are using our code please drop us a line at hpn-ssh@psc.edu and tell me. Likewise, if you run into any problems, bugs, or have a feature request let us know.
Donations and Funding:
In March of 2020 we received a grant from the National Science Foundation (Award #2004012) to help support continued work on this project. This funding is for a limited period of time but has proven to be instrumental in allowing me to devote more of my time to this project. This grant is slated to expire in March of 20222 but may be extended beyond that if I have money left at the end of the grant period. I've had a plea for donations up here for a long time and I feel really good about being able to take it down for now. It may, and likely will come back, but until then I'm glad I can focus on HPN-SSH.
What is HPN-SSH?
HPN-SSH is a series of patches for OpenSSH to provide improved performance and functionality. The core of HPN-SSH is the implementation of a dynamic receive side buffer. By allowing this buffer to grow with the TCP receive buffer it's possible to attain significant throughput improvement - up to two orders of magnitude depending on the network path. Patch sets for each OpenSSH release will be found in the appropriate subfolder.
Why does this work? OpenSSH implements SSHv2 - a multiplexed protocol that allows for multiple data connections across a single TCP stream. In order to provide necessary flow control for the individual channels that comprise this multiplexed connection it was necessary to, essentially, reimplement sliding windows on the receive side. This means that only a set amount of data can be outstanding (in transit) between the sender and receiver at any one time. The OpenSSH development team initially had this limited to 64KB (now 1024KB). Over low latency paths (and for interactive sessions) this is perfectly reasonable. However, for the transfer of large files this proves to be a significant bottleneck. This bottleneck was common to many TCP applications prior to the introduction of autotuning receive buffers in the TCP stack.
HPN-SSH brings the current TCP receive buffer size up to the application layer and, by doing so, uses the network far more efficiently.
The HPN-SSH team (Ben Bennet and Mike Tasota) also developed a multi-threaded variant of the AES-CTR cipher so as to allow multicored systems to distribute the burden of computing the keystream over multiple cores. This enhancement produces a cipher stream that is indistinguishable from the default AES-CTR cipher stream. The upshot of this being that it is backwards compliant with all existing AES-CTR implementations - no need to have the multithreaded variant on both sides of the connection. Recent work has also eliminated problems with using the multi-threaded AES-CTR cipher in forked connections (common with forwarded ports) and the sandboxed privsep process. The latest versions make use of on die AES-NI hardware acceleration if supported by the CPU.
For less sensitive data the team (primarily Micahel Stevens) also developed a method to switch to the NONE cipher after a fully cryptographically secure authentication. This method forces the stream to rekey itself after authentication and only proposes the NONE cipher. This patch may significantly improve performance for users whose processes were previously CPU bound. As the NONE cipher is essentially disallowed outside of debugging in OpenSSH users wishing to make use of the NONE cipher must have this patch installed on both sides of the connection. As an aside, the multi-threaded AES-CTR cipher and the NONE cipher exhibit similar throughput enhancement albeit, in the case of the AES-CTR cipher, of significantly higher CPU load.
Additionally, under newer version of HPN-SSH you can also disable the messages authentication cipher (MAC) method. The means your bulk data transfers are neither encrypted or are protected against main in the middle attacks. Use this with caution but if your data isn't sensitive disabling MAC can provide a significant performance improvement. Please refer to HPN-README for more information.
Lastly, the team also created patches to provide for enhanced server side logging and instantaneous throughput rate reporting in SCP.
This current patch set, HPN15v4, passes all regression tests, provides a high level of security, and significantly increased performance with minimal fuss.
