Linux – Copying Files Between Linux Machines with Strong Authentication

backuplinux

I'm looking for a suitable program to copy files from one linux machine to another one. The program should be able to do authentication but it should not do encryption. The reason behind the latter is the lack of CPU power to do the encryption.

I copy backups from ~70 machines to a single backup server simultaneously. The single server is an HP Proliant DL360 G7, with 10 Gbps ethernet connection and an FC storage backend that can do 4 Gbps. Through FTP I can write ~400MB/sec to the storage (that's about what I want) but through ssh with arcfour I can only do ~100MB/sec while having 100% CPU usage. That's why I want file transfers not to be encrypted.

The alternatives that I found not really suitable:

rcp: no authentication, forget it
FTP: making the authentication "secure" (at least preventing plain-text password exchange) is possible but not really easy and I haven't found a method to force any FTP daemon to encrypt the control channel (for the authentication) and not to encrypt the data channel (for data transfers)
SCP/SFTP: in farely recent ssh(d) implementations you can't turn off encryption. The best you can do is to use the arcfour cypher for the encryption but it sill uses too much CPU power for my needs.
rsync over ssh: same problems as with SCP/SFTP.
plain rsync: from the documentation of rsyncd: "The authentication protocol used in rsync is a 128 bit MD4 based challenge response system. This is fairly weak protection, though (with at least one brute-force hash-finding algorithm publicly available), so if you want really top-quality security, then I recommend that you run rsync over ssh." It's a no-go.

Is there a protocol/program that can do exactly what I want?

(A big plus would be if it could work on windows as well and/or if it would support rsync-stlye copying/synchronization (e.g. copy only the differences).)

Best Answer

You tried doing what I normally do, using a lower-weight encryption algorithm (like arcfour). When that becomes the bottleneck, the next approach I use is disabling ssh encryption entirely.

One approach for this is to use hpn-ssh as your transport. My normal application for this is SSH copies across high-bandwidth, long-distance links (e.g. a 10GbE link between Chicago and New York with 16ms latency). hpn-ssh allows tuning of TCP windows there, but also has the option of disabling encryption entirely. That may help in your case.

Also see: Why is my rsync so slow?

Related Solutions

Linux – FTP put several directories without overwrite

You can only restart a download with ftp not an upload (as far as I know) the native command would be "reget" and the remote server has to support it.

That being said if you have already gotten a partial transfer done with sftp, and wish to continue you may want to look at rsync or rsync over ssh to complete your transfer. I.e rsync -avz . -e "ssh" user@host:/targetdir/

Most of the slowness you experience with scp is related to the encryption and the serial nature of the connection.

Linux – Creating multiple SFTP users for one account

Our solution is to create a main user account for each customer, such as flowershop. Each customer can create an arbitrary number of side accounts with their own passwords, such as flowershop_developer, flowershop_tester, flowershop_dba, etc. This allows them to hand out accounts without sharing their main account password, which is better for a whole bunch of reasons (for example, if they need to remove their DBA's account, they can easily do that without changing their own passwords).

Each one of these accounts is in the flowershop group, with a home folder of /home/flowershop/. SSH uses this as the chroot directory (/home/%u, as shown in the configuration in the question).

We then use ACLs to enable every user in group flowershop to modify all files. When a new customer account is created, we set the ACLs as follows:

setfacl -Rm \
d:group:admin:rwx,d:user:www-data:r-x,d:user:$USERNAME:rwx,d:group:$USERNAME:rwx,\
  group:admin:rwx,  user:www-data:r-x,  user:$USERNAME:rwx,  group:$USERNAME:rwx \
/home/$USERNAME/

This does the following:

Gives group admin (for us, the hosting providers) rwx
Gives user www-data (Apache) r-x to the files*
Gives user $USERNAME rwx to the files
Gives group $USERNAME rwx to the files

This setup appears to be working well for us, but we are open to any suggestions for doing it better.

_{* we use suexec for CGI/PHP running as the customer account}

Best Answer

Related Solutions

Linux – FTP put several directories without overwrite

Linux – Creating multiple SFTP users for one account

Related Topic