Actually, I don't think we need more than one PRNG for the whole server. I will add a wrapper around the random factories to use a single instance of the PRNG instead of creating a new one each time, as it seems quite expensive.
Wrt to performances, I guess one way to improve perfs would be to make sure you use the fastest algorithms. For example, try using DHG1 instead of DHG14 (it uses smaller keys, hence faster big integers computations afaik), Blowfish seems the fastest Cipher (not sure about the Mac). If you configure the SSHD server to only use those algorithms, you may be able to improve perfs. On Thu, Feb 5, 2009 at 22:56, Shawn Pearce <[email protected]> wrote: > I've gotten complaints from Gerrit users that the SSH port is horribly > slow. An operation that normally takes 30 seconds through OpenSSH could > take 30 minutes on Gerrit, which uses MINA SSHD for its SSH port. > > More specifically, this operation is opening and closing over 120 unique SSH > connections in rapid succession. One of the large bottlenecks in SSHD was > the use of SecureRandom.generateSeed() on every request. I suspect the Sun > JRE is reading /dev/random on each call, and the kernel just doesn't have > enough entropy on hand so it blocks and waits for more. > > https://issues.apache.org/jira/browse/SSHD-13 has a patch which obtains a > new seed every 100 requests, and in between uses a PRNG instead. It cuts > quite a bit off the wall-clock time. > > > With this patch in place, SSHD is now about 2x slower than OpenSSH. The > remaining bottleneck appears to be Sun's BigInteger.modPow() function, used > by BouncyCastle during the DH key exchange. That single method is 60% of > the running time for a setup-exec-close done over 600 times as quickly as > possible. > -- Cheers, Guillaume Nodet ------------------------ Blog: http://gnodet.blogspot.com/ ------------------------ Open Source SOA http://fusesource.com
