Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Nov 2015 16:40:42 -0800
From:      Bryan Drewery <bdrewery@FreeBSD.org>
To:        =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>, freebsd-current@freebsd.org, freebsd-security@freebsd.org
Subject:   Re: OpenSSH HPN
Message-ID:  <56428E8A.3090201@FreeBSD.org>
In-Reply-To: <86io5a9ome.fsf@desk.des.no>
References:  <86io5a9ome.fsf@desk.des.no>

next in thread | previous in thread | raw e-mail | index | archive | help
On 11/10/15 1:42 AM, Dag-Erling Sm=C3=B8rgrav wrote:
> Some of you may have noticed that OpenSSH in base is lagging far behind
> the upstream code.
>=20
> The main reason for this is the burden of maintaining the HPN patches.
> They are extensive, very intrusive, and touch parts of the OpenSSH code
> that change significantly in every release.  Since they are not
> regularly updated, I have to choose between trying to resolve the
> conflicts myself (hoping I don't break anything) or waiting for them to
> catch up and then figuring out how to apply the new version.
>=20
> Therefore, I would like to remove the HPN patches from base and refer
> anyone who really needs them to the openssh-portable port, which has
> them as a default option.  I would also like to remove the NONE cipher
> patch, which is also available in the port (off by default, just like i=
n
> base).
>=20
> DES
>=20

I had this same problem as well, but have since reworked the HPN patch
for ports to be more easily maintained.  I've considered offering or
just updating the base SSH, but have not since we have random changes in
the HPN functionality in base that would be lost.  We for some reason
decided we were going to maintain our own version and not even upstream
the changes to the HPN authors which has contributed to this situation.

Anyway, reverting the base SSH to stock, and then importing all patches
from the ports default version should result in the same base patches
applied and a working HPN.  I've kept the port version up-to-date with
all base changes applied as well (short of HPN customizations we made
that are not worth keeping)  A lot of people pressured me to remove HPN
as default from the port (during times that I was too busy to rework the
patch for the latest OpenSSH) but I persisted in keeping it due to it
being enabled in base.  If we really remove it from base I may disable
it in the port as well as a default.

I personally find the feature worth keeping.  Seeing recent benchmarks
would be a good idea, but the overall patch is quite simple and
non-complex.  It's now split up with defines for each feature so they
can be disabled at compile time.  See
/usr/ports/security/openssh-portable/files/extra-patch-hpn.  There is
HPN_ENABLED and NONE_CIPHER_ENABLED.  It's really quite a simple and
small patch after removing all of the bogus changes (which I did
upstream, and did apply to the base HPN as well) and the logging changes
(which were far too intrusive to maintain).

--=20
Regards,
Bryan Drewery



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56428E8A.3090201>