Somewhere along learning how to build my own blog and LAMP stack, I stumbled across HPN-SSH – a project to improve network performance in SCP file transfers.You can read more about it here.
This is how you can install it:
Install required software for compiling and patching OpenSSH/HPN-SSH:
1 |
yum install zlib zlib-devel pam pam-devel openssl openssl-devel gcc patch make |
Download latest versions of OpenSSH portable and HPN-SSH patch into /usr/src:
1 2 3 |
cd /usr/src wget http://www.thirdechelon.org/downloads/openssh-6.6p1-hpnssh14v5.diff.gz wget http://www.thirdechelon.org/downloads/openssh-6.6p1.tar.gz |
Extract OpenSSH:
1 |
tar -xzvf openssh-6.6p1.tar.gz |
Change directory in extracted folder and apply patch:
1 2 |
cd openssh-6.6p1 zcat /usr/src/openssh-6.6p1-hpnssh14v5.diff.gz | patch |
Configure OpenSSH:
1 |
./configure –prefix=/usr –sysconfdir=/etc/ssh –with-pam |
Remove old config files to prevent any conflicts:
1 2 |
rm /etc/ssh/ssh_config rm /etc/ssh/sshd_config |
Compile and install:
1 2 |
make make install |
Now we have the newest version of OpenSSH installed and patched with the improvements from HPN-SSH; however we still need to make some changes to the /etc/ssh/sshd_config to take advantage of them. Near the bottom of your config file you will see a section for HPN related options; I used the following options from other guides I found:
1 2 3 4 5 6 7 8 9 10 11 12 |
# the following are HPN related configuration options # tcp receive buffer polling. disable in non autotuning kernels TcpRcvBufPoll yes # allow the use of the none cipher #NoneEnabled no # disable hpn performance boosts. #HPNDisabled no # buffer size for hpn to non-hpn connections HPNBufferSize 16384 |
Another important thing to note is that the new sshd config file will reset some of your options like PermitRootLogin so be sure to check those. On my system the SyslogFacility option was commented out so the ssh related messages were logged to /var/log/messages instead of /var/log/secure; this subsequently broke my fail2ban setup since fail2ban was looking for failed authentications in /var/log/secure. To fix this I had to change the SyslogFacility option to:
1 |
SyslogFacility AUTHPRIV |
Don’t forget to restart sshd when you’re finished:
1 |
service sshd restart |