Thursday, May 31, 2018

OPENSSH 7.1 (7.1.102.1100) -- issues





OPENSSH 7.1 (7.1.102.1100)  .

1.       Addition of ciphers  using “+” sign

After adding below lines in sshd_config

Ciphers  + blowfish-cbc,arcfour256,arcfour128

#ssh -vv test123

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctrchacha20-poly1305@openssh.com,,blowfish-cbc,arcfour256,arcfour128
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctrchacha20-poly1305@openssh.com,,blowfish-cbc,arcfour256,arcfour128

      The issue seems to be with the double comma , that prevents  the ciphers to work .

2.       The unsupported Ciphers  showing in the OPENSSH package itself

List of supported Ciphers in OPENSSH7.1 Package

$ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
chacha20-poly1305@openssh.com


As per the sshd_config Man page , The default Cipher List .


chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes256-gcm@openssh.com 



Connectivity result before applying the Ciphers

$ ssh -vv test123
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctrchacha20-poly1305@openssh.com, >>>List of ciphers supported by default by OPENSSH7.1
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctrchacha20-poly1305@openssh.com,

It refers to me that the default Cipher that the OPENSSH7.1  supports  is something different that we see in the man page of sshd_config .  “aes256-gcm@openssh.com” cipher doesn’t exists in the default Cipher list,  when we do connectivity test .  



Below Ciphers list were added  as per the different site references  .

Ciphers blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com


Working Configuration



But when we tried this options after removing the gcm cipher , it worked .

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-cbc,3des-cbc


Common errors :

Unable to negotiate with x.x.x.x.: no matching cipher found. Their offer: aes128-cbc,blowfish-cbc,3des-cbc lost connection

 solution ) add the below lines in sshd_config configuration file 

 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-cbc,3des-cbc.blowfish-cbc

 stop and start  the ssh services 

  error 2) sometimes noticed that passwordless authentication or the authentication negotiations are happening using only  the dsa keys , then it will fail ?
ans) in openssh7 ,the dsa keys are by default disabled , it means that any key negotiations or connections that uses only dsa keys will be failing . In this scenario , we need to first validate the connectivity using the ssh -vv  <server-name>  check for the keys which it is accepting   to confirm the exact issue . 

 add the below lines in sshd_config to allow the dsa keys . 

 HostKeyAlgorithms +ssh-dss 

PubkeyAcceptedKeyTypes +ssh-dss 

 stop and start the sshd services . 

 test the connectivity . 

Posted by at No comments:

AIX - CPU Utilization -Some points

                                        CPU Utilization in AIX . 
                                      =====================

 Here in  our example , we will try to understand actually how are the CPU entitlement parameters working in AIX .

 Let us  try to understand through different scenario's .

 Taking the below example 


 Mode                                           : Uncapped
Entitled Capacity                          : 3.00
Online Virtual CPUs                     : 20
Maximum Virtual CPUs                : 30
Minimum Virtual CPUs                 : 2
Minimum Capacity                        : 1.00
Maximum Capacity                       : 10.00


 Entitled Capacity : This LPAR is entitled/guaranteed  to get 3 CPU .
Minimum Capacity :  minimum requirement to start this LPAR is 1 CPU .
Maximum Capacity : Maximum entitlement for this LPAR is 10 CPU .

Question comes here .,what is actually maximum Capacity and how it works ?
ans) Maximum Capacity parameter comes into picture when we talk about DLPAR operations . It means that we can increase the  Entitled Capacity  online to the Maximim Capacity Value i.e. in this scenario to 10 . 
                                  Maximum entitlement doesn't have any relation with the CPU utilization  of LPAR . Many times noticed people have mis-conception that this is the maximum value till what CPU utilization of the LPAR can go .

Ques) In this scenario ,what can be the maximum CPU utilization this LPAR can achieve ?
ans) This LPAR is un-capped ,it means that it  can go upto maximum limit as per the configuration and requirement  subjected to the fact that CPU pools are having enough free CPU.
     When we talk about it can go to maximum limit  as per the configuration ,here comes into the picture the "online virtual CPU "  .As we know that , virtual CPU use power of 1 CPU as per the requirement .     The maximum  CPU utilization of this LPAR depends on the value of "online virtual CPU's "  and the free CPU's available in CPU Pools.
Here in this scenario , This LPAR  CPU utilization can go  maximum  upto 20 CPU   subjected to the fact that it that enough CPU resources in the CPU Pool .


Taking the same scenario but the "CPU Mode is capped"


Mode                                            : capped
Entitled Capacity                          : 3.00
Online Virtual CPUs                     : 20
Maximum Virtual CPUs                : 30
Minimum Virtual CPUs                 : 2
Minimum Capacity                         : 1.00
Maximum Capacity                        : 10.00



Ques) In this scenario ,what can be the maximum CPU utilization this LPAR can achieve ?
ans) The CPU mode for this LPAR is capped means that in any case it can't go above the entitled Capacity . Here in this case , Entitled Capacity is 3 CPU , means  CPU utilization
 of this LPAR can't go beyond 3 CPU . 
Posted by at 2 comments:

Wednesday, May 30, 2018

NMON- Analyzing Memory Usage



Recently, got request to clarify the  AIX Memory utilization from application team  . After going through lot of documentations , this was what i was able to understand .  .  





Total virtual :36 GB  >>>  this total memory allocated which includes physical and paging space .
Accessed virtual : 16.3 GB --   Active virtual pages  in memory (including pagespace + real memory) which comes around 45.3%

In AIX  Virtual Memory Management  , The free memory will be used for cache and whenever application request for memory , it will freed automatically .  

In our latest report below is the physical memory consumption .

%used =93.7%   -- it is the total  physical memory used out of 32 GB (i.e process+system +cache)

Note:  This will be always high  in AIX  as it includes the cache also .

%free =  6.3%


This section  of NMON provides details how is the physical memory used  and the differentiation –refer below attached screenshot  .




Numperm(cache) =41.9%      >>> this is used for cache purpose(filesystemcache etc)  for better performance and will be freed up automatically by the Operating system when application requests for memory.
Process                = 40.4%      >>> this much of physical memory out of 32 GB is used by application process
System                = 11.4%      >>>  This much of memory is used by the Operating system processes out of 32 GB
Free                    =6.3%         >>>  This is free physical memory available out of 32 GB


Basically when we talk about performance we consider only “process+system”  . If this is above 90 -95% , then we can see performance impact .  


Posted by at No comments:
Subscribe to: Posts (Atom)