Most efficient set up for multiple ssh tunnels?

1

0

I currently require remote access to around 10-20 machines, some of which need to be accessed via multiple SSH hops. However I've noticed that some of the SSH connections are a bit sluggish. What is the most efficient set up? More specifically, is there a performance / IO cost to adding more port binds to the same ssh command?

For example, what are the differences between this:

ssh -f user0@host0 -i "/certs/key.pem" -L 2001:host1:22 -L 2002:host2:22 -L 2003:host3:22 -N

and this:

ssh -f user0@host0 -i "/certs/key.pem" -L 2001:host1:22 -N
ssh -f user0@host0 -i "/certs/key.pem" -L 2002:host2:22 -N
ssh -f user0@host0 -i "/certs/key.pem" -L 2003:host3:22 -N

I notice that in the first case there is only one instance of SSH running, but in the second case there would be three. Which set up would yield the best performance for any SSH connections being made over the tunnels? Or, is any performance difference simply dwarfed by network speed?

Robert Johnson

Posted 2013-09-18T14:30:00.933

Reputation: 125

Answers

1

One uses a single connection with 3 tunnels, the second uses 3 separate connections with 3 tunnels. More efficient to just use the first command, assuming there are no alternate settings in use via ~/.ssh/config or /etc/ssh/ssh_config.

For example, if you use ControlMaster and ControlPath, both commands would provide the same level of performance.

Also, if you are scripting and are concerned with readability, try this:

ssh \
    -f \
    -i "/certs/key.pem" \
    -L 2001:host1:22 \
    -L 2002:host2:22 \
    -L 2003:host3:22

I think you will accomplish your goal a little easier if you use this in your ~/.ssh/config:

Host host1
    ProxyCommand ssh host0 -W %h:%p

If you do that, you don't need to use tunnels in the first place since it appears you're trying to forward ssh connections.

UtahJarhead

Posted 2013-09-18T14:30:00.933

Reputation: 1 755

@UtahJarhead If the tunnels have different levels of network traffic, how is the load balancing in either case? Do they behave similarly? And is there any way to add a new tunnel to an already-established SSH session? – Alexander - Reinstate Monica – 2018-07-24T23:51:10.023

In Linux, <return>~C (I think) will drop you to a prompt where you can add additional options. However, you cannot REMOVE options that have already been set. Also, load balancing? Either I do not understand your question or the answer is that there is no load balancing. – UtahJarhead – 2018-07-25T02:46:40.343

Apologies, my question was a little unclear. I've edited it to clarify that I'm interested in what gives the best performance for any SSH connections being executed over the tunnels, rather than what uses the least system resources. – Robert Johnson – 2013-09-18T14:41:43.783

Answer edited to reflect your new information. – UtahJarhead – 2013-09-18T14:48:24.497

I had a quick read on ControlMaster and ControlPath. If I understand it correctly, using them would provide the same level of performance because they basically turn method 2 into method 1 behind the scenes. So what are the performance differences is you don't use ControlMaster? I would have thought that the more ports you bind, the more "work" each SSH instance has to do, so more instances means more system resources used up but the separate tunnels are more performant. Is that right? – Robert Johnson – 2013-09-21T00:47:54.200

The real performance hit is the login process. The initial encryption and authentication is bypassed giving you instant logins after the initial connection. After that, the performance impact should be identical. – UtahJarhead – 2013-09-24T14:29:18.917

Asked: 2013-09-18T14:30:00.933

Viewed: 1 002 times

Active: 2013-09-18T14:53:09.677