OpenVAS Change Request #53: Remove Support for Shared Sockets
Status: Voted +4. Done as of SVN rev. 11046. Will be first released with OpenVAS Scanner 3.3.0.
Remove support for shared socket concept used for SSH access.
NVTs using SSH connections to perform Local Security Checks (LSCs) currently do so through a so called shared socket. The idea of this concept is that the first NVT needing an SSH connection will establish a connection and store a reference to the socket which has been used for this connection in the knowledge base (KB). Other NVTs will then use this socket for their SSH connection instead of establishing their own separate connections.
While this idea is commendable, it has a number of drawbacks:
- The object which really should be shared here is the SSH session, not the raw network socket. Sharing the socket forces the NVTs using the socket to handle low level SSH connection management and session management, complicating the connection handling.
- The concept runs into serious trouble and crashes parts of the Scanner when a target has more than one SSH port for which the LSC credentials work.
- The shared socket can only be used by one NVT at a time, meaning other NVTs have to wait for the socket to become available again.
- Handling information about the shared sockets adds a communication overhead between the Scanner processes doing the scanning and their parent process.
With this in mind we propose that support for shared sockets should be removed from LSCs via SSH. Since this is the only instance where shared sockets are used, this makes a complete removal of the then superfluous shared socket support code in the OpenVAS Scanner and the OpenVAS Libraries possible and advisable.
Tests have shown that removing the use of shared sockets for SSH connections on the NASL (which can be done experimentally using the patch attached to this mail) causes a "Full and fast" scan with LSCs to take considerable less time. Scans of a single system took only a third of the time needed with shared sockets enabled.
A large part of the speed-up is likely caused by the parallelization of LSCs; since the LSCs no longer have to wait for the shared sockets they can be done concurrently.
A side effect is that doing concurrent LSCs increases the load of the target system; however, even the increased load of multiple LSCs was very small and is probably negligible for practical purposes. Multiple concurrent SSH connections could also theoretically trigger some very old firewalls.
However, the side effects described are mainly a general effect of doing concurrent checks and can be mitigated by adjusting the appropriate Scanner preference.
Design and Implementation
A first change would be removing the use of shared sockets from the ssh_func.inc NASL function library similar to the way it was done for the proof-of-concept patch mentioned above.
This change would mean that a number of code paths in OpenVAS Libraries and OpenVAS Scanner would be no longer necessary and could be subsequently removed.
- 2011-05-31 Jan-Oliver Wagner <jan-oliver.wagner at greenbone dot net>:
Marked as done.
- 2011-05-19 Michael Wiegand <michael.wiegand at greenbone dot net>:
Updated with voting results.
- 2011-04-29 Michael Wiegand <michael.wiegand at greenbone dot net>: