SSH tunnel support

[plethora]

Often the target server is in a datacenter with strict connectivity limitations.
Using an SSH tunnel is often easier than requesting the opening up of specific ports for YourKit.

I can manually set up an SSH tunnel, but it would be convenient if YourKit supported this in the GUI.
IntelliJ added a similar feature for database connections a few years ago:
http://youtrack.jetbrains.com/issue/IDEA-90973

[Anton Katilin]

Hi,

Thanks for the suggestion. We'll add a feature request.

Do you want the tunnel parameters be configured at the agent side with startup options, i.e. similar to "port="?

Best regards,
Anton

[plethora]

Hi Anton,
This would rather be a client-side feature, with UI support for configuration. No changes in agent should be required.
The assumption is that the application is running on a remote server, but the port on which the agent is listening is not accessible from outside.

However, the server is running an SSH deamon. On the client/GUI side, two things would be implemented:
* support to set up and use an SSH tunnel, providing a secure connection over which the client would connect to the agent
* GUI support (in the "Connect To Remote Application" dialog) to enter an ssh username and password for the remote system

At the moment, I can do this manually, by setting up an SSH tunnel from the workstation to the target server, using a command like this, and then connecting to local port 10001:
ssh -f user@server -L 10001:server:10001 -N

The idea is to embed this into the YK client, streamlining this use case (which is quite common). There are pure-Java libraries to do this, used by IDEA for a similar feature (connecting to a remote database over an SSH tunnel).

[plethora]

Ideally, the SSH tunnel configuration would be remembered, or stored, so that I can later connect to the same machine without re-entering the details.

[plethora]

Here's an old discussion thread where tunneling YourKit connections through SSH is discussed:
http://forums.yourkit.com/viewtopic.php?f=3&t=281

And a blog post describing the steps to set this up:
http://kevingann.blogspot.nl/2013/04/pr ... tance.html

The idea is to make this an as-easy-as-possible single-click (tm) experience, not even requiring an ssh client (if on Windows).

[Anton Katilin]

Hi,

Thank you for collecting this information.

I've added a feature request. I hope we'll implement it in the v2014 time frame.

Best regards,
Anton

[plethora]

Looking forward to try it.
Initially, ssh username/password support would be sufficient.
Later support for SSH certificates or Kerberos could be added, which are sometimes used in corporate environments.

[Anton Katilin]

Hi Taras,

Build 14028 adds SSH tunnel support in UI:
http://www.yourkit.com/eap

Your feedback is much appreciated.

Best regards,
Anton

[plethora]

Hi Anton,

Worked just as expected the first time I tried. Thanks for implementing this.
User interface seems basic but clear to me.

Kind regards,
Taras

[Anton Katilin]

Hi Taras,

FYI: we've just released 14032 with improvements to the remote profiling UI:
http://www.yourkit.com/eap

Best regards,
Anton

[plethora]

Hi Anton,
I'm probably staring right at it, but what exactly are the connection UI differences between 14030 and 14032?

[Anton Katilin]

Hi Taras,

In general, the UI functionality remained the same. The changes are mostly cosmetic: refined messages, component layout, dialog titles etc.

Best regards,
Anton

[plethora]

Ah, I see.
Are you planning to implement additional SSH features for the YK14 release?
Key-based authentication would be an obvious one, and Kerberos support (through GSSAPI) would be nice as well.

[Anton Katilin]

Hi Taras,

Yes, we are ready to add more functionality to the SSH support.

Key-based authentication would be an obvious one

As far as I understand, we'll need to supply the library with the private key file, which is ~/.ssh/id_rsa by default.

We can add the second text field below the connection URL:

For SSH: private key file (leave blank if not used):
[<enter key file path here>]

If the file is specified, it will be used. Otherwise the password will be asked. If it's not an SSH connection (i.e. no "user@" specified) the field will be ignored.

Will this UI work?

What about keys requiring a passphrase? Are they important?

Kerberos support (through GSSAPI) would be nice as well

How important is this?

Best regards,
Anton

[plethora]

Hi Anton,

As far as I understand, we'll need to supply the library with the private key file, which is ~/.ssh/id_rsa by default.
We can add the second text field below the connection URL:

For SSH: private key file (leave blank if not used):
[<enter key file path here>]

If the file is specified, it will be used. Otherwise the password will be asked. If it's not an SSH connection (i.e. no "user@" specified) the field will be ignored.

Will this UI work?

I assume the path field will have a button that launches an "Open File" dialog?
It sounds Spartan but workable. In most cases the user is connecting to the same machine for remote profiling, so the default value in this field will be fine.

However, in the (unlikely?) scenario where some machines are accessed by password, and others by key, it might be a bit clumsy, requiring the user to clear the field. But perhaps I'm over-thinking it.

Please also take a look at tools like WinSCP, Putty and IDEA to see how the SSH authentication options are presented in terms of user interface.

What about keys requiring a passphrase? Are they important?

I'm not an SSH "power-user". The keys I've been using typically have not been passphrase-protected.

Kerberos support (through GSSAPI) would be nice as well

How important is this?

It's less important than the features above. In some environments Kerberos is used as a single-sign-on system.
Java has GSSAPI support these days, perhaps it's not too hard to implement. But, feel free to put it on the backlog until a second user requests it.

Kind regards,
Taras