From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anil Madhavapeddy <anil@recoil.org>
Subject: Re: [RFC][PATCH] Secure XML-RPC for Xend
Date: Fri, 9 Jun 2006 09:54:44 +0100
Message-ID: <20060609085443.GA28541@fork.recoil.org>
References: <4488D93D.7070303@us.ibm.com>
	<20060609083434.GA19035@fork.recoil.org>
	<20060609084147.GH31509@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <xen-devel-bounces@lists.xensource.com>
Content-Disposition: inline
In-Reply-To: <20060609084147.GH31509@redhat.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Daniel Veillard <veillard@redhat.com>
Cc: xen-devel <xen-devel@lists.xensource.com>, Ewan Mellor <ewan@xensource.com>
List-Id: xen-devel@lists.xenproject.org

On Fri, Jun 09, 2006 at 04:41:48AM -0400, Daniel Veillard wrote:
> 
>    SSH authentication is really expensive especially when you compare to
> other cost in the XML-RPC. I would really like some persistency
> of the connection if possible, especially for operations like monitoring,
> it's okay to reopen from time to time, but without reuse it would just not
> work.

Yes, but the right place to do it is not in Xend.  The auth caching
can be set up outside of Xend much more robustly depending on your
version of OpenSSH.  If done in Xend, then it definitely needs to
use the wildcard support in ControlPath to avoid the authentication
race condition, and an OpenSSH version check.

As Ian says, stunnel/SSL is probably easier from the client's point
of view (although I do like the easier SSH key management this patch
allows).

Anil