Date: Tue, 10 Nov 2015 16:40:42 -0800 From: Bryan Drewery <bdrewery@FreeBSD.org> To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>, freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <56428E8A.3090201@FreeBSD.org> In-Reply-To: <86io5a9ome.fsf@desk.des.no> References: <86io5a9ome.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/10/15 1:42 AM, Dag-Erling Sm=C3=B8rgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. >=20 > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. >=20 > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like i= n > base). >=20 > DES >=20 I had this same problem as well, but have since reworked the HPN patch for ports to be more easily maintained. I've considered offering or just updating the base SSH, but have not since we have random changes in the HPN functionality in base that would be lost. We for some reason decided we were going to maintain our own version and not even upstream the changes to the HPN authors which has contributed to this situation. Anyway, reverting the base SSH to stock, and then importing all patches from the ports default version should result in the same base patches applied and a working HPN. I've kept the port version up-to-date with all base changes applied as well (short of HPN customizations we made that are not worth keeping) A lot of people pressured me to remove HPN as default from the port (during times that I was too busy to rework the patch for the latest OpenSSH) but I persisted in keeping it due to it being enabled in base. If we really remove it from base I may disable it in the port as well as a default. I personally find the feature worth keeping. Seeing recent benchmarks would be a good idea, but the overall patch is quite simple and non-complex. It's now split up with defines for each feature so they can be disabled at compile time. See /usr/ports/security/openssh-portable/files/extra-patch-hpn. There is HPN_ENABLED and NONE_CIPHER_ENABLED. It's really quite a simple and small patch after removing all of the bogus changes (which I did upstream, and did apply to the base HPN as well) and the logging changes (which were far too intrusive to maintain). --=20 Regards, Bryan Drewery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56428E8A.3090201>