Date: Wed, 29 May 2013 14:50:52 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, bdrewery@freebsd.org Subject: Re: svn commit: r251088 - head/crypto/openssh Message-ID: <20130529125052.GA1383@garage.freebsd.pl> In-Reply-To: <86zjve3qv2.fsf@nine.des.no> References: <201305290019.r4T0JxLE011755@svn.freebsd.org> <20130529070952.GA1400@garage.freebsd.pl> <86zjve3qv2.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wed, May 29, 2013 at 02:36:17PM +0200, Dag-Erling Smørgrav wrote: > Pawel Jakub Dawidek <pjd@FreeBSD.org> writes: > > Which library is needed for AES-NI? I don't see any engine in /usr/lib/ > > that implements AES-NI support. Could you be more specific? > > Ah, you're right. Bryan (cc:ed) did the analysis and I misunderstood > his report. I just ran through the steps to reproduce the issue, and > what happens is that a CRIOGET ioctl cal (which is supposed to allocate > and return a file descriptor) fails due to setrlimit(RLIMIT_FSIZE, 0): > > 90344 sshd CALL setrlimit(RLIMIT_NOFILE,0x7fffffffca10) > 90344 sshd RET setrlimit 0 > [...] > 90344 sshd CALL ioctl(0x3,CRIOGET,0x7fffffffcb4c) > 90344 sshd RET ioctl -1 errno 24 Too many open files > > Note that you have to remove the setrlimit(RLIMIT_FSIZE, 0) call in > sandbox-rlimit.c to debug this, otherwise ktrace stops at that point: > > May 29 12:10:37 zoo2 kernel: ktrace write failed, errno 27, tracing stopped > > To reproduce: > > # ktrace -tcnstuy -di env LD_UTRACE=yes /usr/sbin/sshd -oUsePrivilegeSeparation=sandbox -Dddd -oPort=2222 -oListenAddress=localhost > > followed by > > % ssh -c aes128-cbc -p 2222 localhost > > on a machine with an AESNI-capable CPU and aesni.ko loaded. AES-NI doesn't have to go through kernel at all and doing so is much slower. Not sure if our OpenSSL version already has native AES-NI support. If not it would be best to upgrade it. This would fix AES-NI at least. Other crypto HW that do need kernel driver would still need something here. I wonder if CRIOGET can't be done before setting rlimit. How does it work on OpenBSD then? > > Also what is the exact difference between "sandbox" and "yes" settings? > > "sandbox" enables sandboxing (no surprise) which in FreeBSD's case means > a bunch of rlimit settings. I thought that simple "yes" setting does chroot to /var/empty, drops privileges to sshd user/group and sets rlimit? I'm trying to figure out the difference between those two settings. > > The reason I ask is because I plan to experiment with OpenSSH sandboxing > > to use Capsicum and Casper. > > You still have the patches I sent you? Probably somewhere in my INBOX. If you have them handy can you please resend them? -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGl+awACgkQForvXbEpPzSQ2QCg4Rd8ricVkUU7xRd+8/sEWdv3 TAwAoIJZDDC2W3fUllt4f62suXTzxWuu =a7Dr -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130529125052.GA1383>