From owner-freebsd-security@freebsd.org Tue Nov 10 09:42:54 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BD3DA2B35A; Tue, 10 Nov 2015 09:42:54 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 374A01D2A; Tue, 10 Nov 2015 09:42:53 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id D168C2005; Tue, 10 Nov 2015 09:42:51 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 635C73F8C9; Tue, 10 Nov 2015 10:42:49 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: OpenSSH HPN Date: Tue, 10 Nov 2015 10:42:49 +0100 Message-ID: <86io5a9ome.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 09:42:54 -0000 Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintaining the HPN patches. They are extensive, very intrusive, and touch parts of the OpenSSH code that change significantly in every release. Since they are not regularly updated, I have to choose between trying to resolve the conflicts myself (hoping I don't break anything) or waiting for them to catch up and then figuring out how to apply the new version. Therefore, I would like to remove the HPN patches from base and refer anyone who really needs them to the openssh-portable port, which has them as a default option. I would also like to remove the NONE cipher patch, which is also available in the port (off by default, just like in base). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Nov 10 09:47:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D0BECA2B59B; Tue, 10 Nov 2015 09:47:31 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A17B11007; Tue, 10 Nov 2015 09:47:31 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by pabfh17 with SMTP id fh17so230011404pab.0; Tue, 10 Nov 2015 01:47:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:reply-to:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=Q22Y/zs/PMzH43W1huTCcMsq7heIPoQreS3YuObsytg=; b=RMI1RQYF0fzCeZcpHnB1zd8+Zzc3zquGSS7TYgEtTf/NVgbX+PS9QZmZg90uldDZtL J/6J5zau+rW4COJlMCoJNtGchalwGB8eDGIPPCd2OwW0hxXeKAIbZPo8s39CT1YQ8vav 7PS89PrP/6Zt6ZDw3QJtv9rimnjDUBto0UPyGdJFarcQiU5PMCfjaMPRxdI8uXF7UWGR Aa7am3nZ1utrDiUgFLVEfcnaOzEKfGlpca4R68/DSc26rHaPYQQLSQtjn8eAGZKeJVVF FE0fjzTsSTwmlFx0ssDemYG1qeKSrDwClb+oEoxmpe8dmKBSQVI62JDpzrqYKdsR6L4e b/vg== X-Received: by 10.66.90.165 with SMTP id bx5mr4102609pab.25.1447148851179; Tue, 10 Nov 2015 01:47:31 -0800 (PST) Received: from ?IPv6:2001:44b8:31ae:7b01:7d16:8357:a5e4:2525? (2001-44b8-31ae-7b01-7d16-8357-a5e4-2525.static.ipv6.internode.on.net. [2001:44b8:31ae:7b01:7d16:8357:a5e4:2525]) by smtp.gmail.com with ESMTPSA id yi8sm3064712pab.22.2015.11.10.01.47.28 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Nov 2015 01:47:30 -0800 (PST) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org From: Kubilay Kocak Message-ID: <5641BD2B.1090902@FreeBSD.org> Date: Tue, 10 Nov 2015 20:47:23 +1100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Thunderbird/42.0 MIME-Version: 1.0 In-Reply-To: <86io5a9ome.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 09:47:31 -0000 On 10/11/2015 8:42 PM, Dag-Erling Smørgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). > > DES > I for one, support our new consistent-with-upstream, improved-productivity and lower-risk-for-regressions-in-base overlords. ./koobs From owner-freebsd-security@freebsd.org Tue Nov 10 10:31:44 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CACDA2B63E; Tue, 10 Nov 2015 10:31:44 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from smtp.digiware.nl (unknown [IPv6:2001:4cb8:90:ffff::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0087F1E16; Tue, 10 Nov 2015 10:31:43 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 3761E15340A; Tue, 10 Nov 2015 11:31:39 +0100 (CET) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sD41gIopJETe; Tue, 10 Nov 2015 11:31:17 +0100 (CET) Received: from [IPv6:2001:4cb8:3:1:d119:ed2b:ab19:e9bb] (unknown [IPv6:2001:4cb8:3:1:d119:ed2b:ab19:e9bb]) by smtp.digiware.nl (Postfix) with ESMTP id 1E798153416; Tue, 10 Nov 2015 10:58:43 +0100 (CET) Subject: Re: OpenSSH HPN To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org References: <86io5a9ome.fsf@desk.des.no> From: Willem Jan Withagen Organization: Digiware Management b.v. Message-ID: <5641BFC4.7050208@digiware.nl> Date: Tue, 10 Nov 2015 10:58:28 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86io5a9ome.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 10:31:44 -0000 On 10-11-2015 10:42, Dag-Erling Smørgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). Hi Des, I know I've installed the ports once to see if, and how I would be able to add more IP-address infor to some of the warnings and errors. And then to get thos errors recognised by tools like sshguard and fail2ban. Only to find out that the code in that area in ports is completely different from what is in base. And submitting "patches" for that, even upstream, would be faily useless. So I understand the trouble you might have in getting other stuff in as well Getting the base version more inline with ports would be a real good thing. I guess you need to manage the fallout that there is going to be from those that expect HPN to be in base, and now suffer preformance issues. --WjW From owner-freebsd-security@freebsd.org Tue Nov 10 10:55:36 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0F5AA2BDE2; Tue, 10 Nov 2015 10:55:36 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 667901D76; Tue, 10 Nov 2015 10:55:36 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 99D1720FC; Tue, 10 Nov 2015 10:55:35 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 54A0C3F8D5; Tue, 10 Nov 2015 11:55:28 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Willem Jan Withagen Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> Date: Tue, 10 Nov 2015 11:55:28 +0100 In-Reply-To: <5641BFC4.7050208@digiware.nl> (Willem Jan Withagen's message of "Tue, 10 Nov 2015 10:58:28 +0100") Message-ID: <86a8qm9l9b.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 10:55:36 -0000 Willem Jan Withagen writes: > I know I've installed the ports once to see if, and how I would be > able to add more IP-address infor to some of the warnings and > errors. And then to get thos errors recognised by tools like sshguard > and fail2ban. Do you mean logging IP addresses instead of hostnames? Just turn off UseDNS. It is off by default since 6.8. If you mean adding IP addresses or hostnames to messages that don't already have them, try suggesting it on the openssh-portable mailing list (openssh-unix-dev@mindrot.org). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Nov 10 10:58:08 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B1280A2BFBF; Tue, 10 Nov 2015 10:58:08 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from mx0.gid.co.uk (mx0.gid.co.uk [194.32.164.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5EBB11318; Tue, 10 Nov 2015 10:58:07 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from [194.32.164.28] ([194.32.164.28]) by mx0.gid.co.uk (8.14.2/8.14.2) with ESMTP id tAAAu1C1080946; Tue, 10 Nov 2015 10:56:01 GMT (envelope-from rb@gid.co.uk) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Subject: Re: OpenSSH HPN From: Bob Bishop In-Reply-To: <86io5a9ome.fsf@desk.des.no> Date: Tue, 10 Nov 2015 10:56:01 +0000 Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <261DDEE0-B792-4715-A8EF-27E491122BD2@gid.co.uk> References: <86io5a9ome.fsf@desk.des.no> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= X-Mailer: Apple Mail (2.3096.5) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 10:58:08 -0000 Hi, > On 10 Nov 2015, at 09:42, Dag-Erling Sm=C3=B8rgrav wrote: >=20 > [=E2=80=A6] >=20 > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like = in > base). Can=E2=80=99t argue with that. Is removing HPN going to impact the = performance of tunnelled X connexions? > DES > --=20 > Dag-Erling Sm=C3=B8rgrav - des@des.no > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org" -- Bob Bishop rb@gid.co.uk From owner-freebsd-security@freebsd.org Tue Nov 10 11:08:19 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3082AA2A443; Tue, 10 Nov 2015 11:08:19 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from smtp.digiware.nl (unknown [IPv6:2001:4cb8:90:ffff::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E83241C88; Tue, 10 Nov 2015 11:08:18 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id C4EF615340D; Tue, 10 Nov 2015 12:08:16 +0100 (CET) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zi2xB6s5l118; Tue, 10 Nov 2015 12:08:14 +0100 (CET) Received: from [IPv6:2001:4cb8:3:1:d119:ed2b:ab19:e9bb] (unknown [IPv6:2001:4cb8:3:1:d119:ed2b:ab19:e9bb]) by smtp.digiware.nl (Postfix) with ESMTP id CDCAA153401; Tue, 10 Nov 2015 12:08:14 +0100 (CET) Subject: Re: OpenSSH HPN To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Willem Jan Withagen Organization: Digiware Management b.v. Message-ID: <5641D00E.501@digiware.nl> Date: Tue, 10 Nov 2015 12:07:58 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86a8qm9l9b.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 11:08:19 -0000 On 10-11-2015 11:55, Dag-Erling Smørgrav wrote: > Willem Jan Withagen writes: >> I know I've installed the ports once to see if, and how I would be >> able to add more IP-address infor to some of the warnings and >> errors. And then to get thos errors recognised by tools like sshguard >> and fail2ban. > > Do you mean logging IP addresses instead of hostnames? Just turn off > UseDNS. It is off by default since 6.8. No not really.... Digging in my logfiles .... , and its things like: sshd[84942]: Disconnecting: Too many authentication failures [preauth] So errors/warnings without IP-nr. And I think I fixed it on one server to also write: error: maximum authentication attempts exceeded for root from 173.254.203.88 port 1042 ssh2 [preauth] Which when I found out that upstreaming patches from base will be hard, because the whole logging in the ports version is totally different. > If you mean adding IP addresses or hostnames to messages that don't > already have them, try suggesting it on the openssh-portable mailing > list (openssh-unix-dev@mindrot.org). Are they still willing to accept changes to the old version that is currently in base? --WjW From owner-freebsd-security@freebsd.org Tue Nov 10 11:11:17 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90153A2A638; Tue, 10 Nov 2015 11:11:17 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 530D31206; Tue, 10 Nov 2015 11:11:16 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 987F3214F; Tue, 10 Nov 2015 11:11:14 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 34A913F8D9; Tue, 10 Nov 2015 12:11:09 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Willem Jan Withagen Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> Date: Tue, 10 Nov 2015 12:11:09 +0100 In-Reply-To: <5641D00E.501@digiware.nl> (Willem Jan Withagen's message of "Tue, 10 Nov 2015 12:07:58 +0100") Message-ID: <86611a9kj6.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 11:11:17 -0000 Willem Jan Withagen writes: > Digging in my logfiles .... , and its things like: > sshd[84942]: Disconnecting: Too many authentication failures [preauth] > > So errors/warnings without IP-nr. > > And I think I fixed it on one server to also write: > error: maximum authentication attempts exceeded for root from > 173.254.203.88 port 1042 ssh2 [preauth] fail2ban should catch both of these since sshd will print a message for each failed authentication attempt before it prints a message about reaching the limit. > Are they still willing to accept changes to the old version that is > currently in base? No, why would they do that? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Nov 10 11:16:56 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22DE3A2AA49; Tue, 10 Nov 2015 11:16:56 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id DEDA2195A; Tue, 10 Nov 2015 11:16:55 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id EA0EC216C; Tue, 10 Nov 2015 11:16:54 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id CA2643F8DB; Tue, 10 Nov 2015 12:16:47 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Bob Bishop Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <261DDEE0-B792-4715-A8EF-27E491122BD2@gid.co.uk> Date: Tue, 10 Nov 2015 12:16:47 +0100 In-Reply-To: <261DDEE0-B792-4715-A8EF-27E491122BD2@gid.co.uk> (Bob Bishop's message of "Tue, 10 Nov 2015 10:56:01 +0000") Message-ID: <861tby9k9s.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 11:16:56 -0000 Bob Bishop writes: > Is removing HPN going to impact the performance of tunnelled X > connexions? I don't think so. It mostly affects the performance of long unidirectional streams (file transfers) whereas the X protocol, as far as I know, is a bidirectional exchange of relatively short messages. It may make a difference for applications that transfer large textures... I don't really know enough about the X protocol to say for certain, but I am typing this in Emacs over a non-HPN SSH connection, and I regularly tunnel Firefox between the same two machines (RHEL 7 desktop at work and FreeBSD 10 desktop at home). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Nov 10 11:25:58 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67AC6A2AE88; Tue, 10 Nov 2015 11:25:58 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from smtp.digiware.nl (smtp.digiware.nl [31.223.170.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 28E8310A4; Tue, 10 Nov 2015 11:25:57 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id A6A21153465; Tue, 10 Nov 2015 12:25:47 +0100 (CET) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xh2X-YOM884m; Tue, 10 Nov 2015 12:25:28 +0100 (CET) Received: from [IPv6:2001:4cb8:3:1:d119:ed2b:ab19:e9bb] (unknown [IPv6:2001:4cb8:3:1:d119:ed2b:ab19:e9bb]) by smtp.digiware.nl (Postfix) with ESMTP id 97AE9153430; Tue, 10 Nov 2015 12:25:28 +0100 (CET) Subject: Re: OpenSSH HPN To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Willem Jan Withagen Organization: Digiware Management b.v. Message-ID: <5641D419.5090103@digiware.nl> Date: Tue, 10 Nov 2015 12:25:13 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86611a9kj6.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 11:25:58 -0000 On 10-11-2015 12:11, Dag-Erling Smørgrav wrote: > Willem Jan Withagen writes: >> Digging in my logfiles .... , and its things like: >> sshd[84942]: Disconnecting: Too many authentication failures [preauth] >> >> So errors/warnings without IP-nr. >> >> And I think I fixed it on one server to also write: >> error: maximum authentication attempts exceeded for root from >> 173.254.203.88 port 1042 ssh2 [preauth] > > fail2ban should catch both of these since sshd will print a message for > each failed authentication attempt before it prints a message about > reaching the limit. It's already too long to remember the full facts, but when I was looking at the parser in sshguard, I think I noticed that certain accesses weren't logged and added some more logging rules to catch those. What I still have lingering is this snippet: Index: crypto/openssh/packet.c =================================================================== --- crypto/openssh/packet.c (revision 289060) +++ crypto/openssh/packet.c (working copy) @@ -1128,8 +1128,10 @@ logit("Connection closed by %.200s", get_remote_ipaddr()); cleanup_exit(255); } - if (len < 0) + if (len < 0) { + logit("Read from socket failed: %.200s", get_remote_ipaddr()); fatal("Read from socket failed: %.100s", strerror(errno)); + } /* Append it to the buffer. */ packet_process_incoming(buf, len); } But like I said: The code I found at openssh was so totally different that I did not continued this track, but chose to start running openssh from ports. Which does not generate warnings I have questions about the originating ip-nr. >> Are they still willing to accept changes to the old version that is >> currently in base? > > No, why would they do that? Exactly my question.... I guess I misinterpreted your suggestion on upstreaming patches. --WjW From owner-freebsd-security@freebsd.org Tue Nov 10 11:48:51 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 86838A2B51E; Tue, 10 Nov 2015 11:48:51 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4B6281D7F; Tue, 10 Nov 2015 11:48:50 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 7067821B2; Tue, 10 Nov 2015 11:48:48 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 1F67A3F8E0; Tue, 10 Nov 2015 12:48:46 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Willem Jan Withagen Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no> <5641D419.5090103@digiware.nl> Date: Tue, 10 Nov 2015 12:48:46 +0100 In-Reply-To: <5641D419.5090103@digiware.nl> (Willem Jan Withagen's message of "Tue, 10 Nov 2015 12:25:13 +0100") Message-ID: <86vb9a8481.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 11:48:51 -0000 Willem Jan Withagen writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > Willem Jan Withagen writes: > > > Are they still willing to accept changes to the old version that > > > is currently in base? > > No, why would they do that? > Exactly my question.... I guess I misinterpreted your suggestion on > upstreaming patches. I didn't suggest submitting patches, I suggested submitting a feature request. Damien is generally pretty open to suggestions. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Nov 10 12:52:47 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 686C5A2B80B; Tue, 10 Nov 2015 12:52:47 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 24BB212D9; Tue, 10 Nov 2015 12:52:47 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1Zw8Pj-000KiG-7x; Tue, 10 Nov 2015 15:52:43 +0300 Date: Tue, 10 Nov 2015 15:52:43 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151110125243.GB48728@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86io5a9ome.fsf@desk.des.no> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 12:52:47 -0000 On Tue, Nov 10, 2015 at 10:42:49AM +0100, Dag-Erling Smørgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). I am plan to use NONE and HPN for bulk transfer, but don't see performance improvement, in both cases I see only 500Mbit/s. From owner-freebsd-security@freebsd.org Tue Nov 10 16:02:18 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E38DEA2B6DA for ; Tue, 10 Nov 2015 16:02:17 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A00BC19D1 for ; Tue, 10 Nov 2015 16:02:17 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 7275E207EA for ; Tue, 10 Nov 2015 11:02:10 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Tue, 10 Nov 2015 11:02:10 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=e6TqZ2xc57w97S/ vg6/K05UvhHU=; b=oYOVtDPXsje+9aWVE0EtVa8C2reiauN6yuPisdaNaONxu/k Xinph+Do2aoxPDSE/ATsM/JuWBRzJJ7u52liCbdfY3y1RbcNK0IOf5sLxSRkD5Y9 2nSAiF0C2QA18DpSnn1d/XDroXt1s0U5JkWsmO4IzUFGO4FKSjJx3gZ72aYs= Received: by web3.nyi.internal (Postfix, from userid 99) id 43E8410C20A; Tue, 10 Nov 2015 11:02:10 -0500 (EST) Message-Id: <1447171330.3672217.435085401.40D8E7F2@webmail.messagingengine.com> X-Sasl-Enc: emHDRnhRl3CPli67HfP6s2MQO2p/QwGujnguKu7JytKe 1447171330 From: Mark Felder To: Willem Jan Withagen , =?ISO-8859-1?Q?Dag-Erling=20Sm=F8rgrav?= Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="ISO-8859-1" X-Mailer: MessagingEngine.com Webmail Interface - ajax-643af86c Subject: Re: OpenSSH HPN Date: Tue, 10 Nov 2015 10:02:10 -0600 In-Reply-To: <5641D419.5090103@digiware.nl> References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no> <5641D419.5090103@digiware.nl> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 16:02:18 -0000 On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote: > On 10-11-2015 12:11, Dag-Erling Sm=F8rgrav wrote: > > Willem Jan Withagen writes: > >> Digging in my logfiles .... , and its things like: > >> sshd[84942]: Disconnecting: Too many authentication failures [preaut= h] > >> > >> So errors/warnings without IP-nr. > >> > >> And I think I fixed it on one server to also write: > >> error: maximum authentication attempts exceeded for root from > >> 173.254.203.88 port 1042 ssh2 [preauth] > > > > fail2ban should catch both of these since sshd will print a message for > > each failed authentication attempt before it prints a message about > > reaching the limit. >=20 > It's already too long to remember the full facts, but when I was looking= =20 > at the parser in sshguard, I think I noticed that certain accesses=20 > weren't logged and added some more logging rules to catch those. >=20 > What I still have lingering is this snippet: > Index: crypto/openssh/packet.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- crypto/openssh/packet.c (revision 289060) > +++ crypto/openssh/packet.c (working copy) > @@ -1128,8 +1128,10 @@ > logit("Connection closed by %.200s",=20 > get_remote_ipaddr()); > cleanup_exit(255); > } > - if (len < 0) > + if (len < 0) { > + logit("Read from socket failed: %.200s",=20 > get_remote_ipaddr()); > fatal("Read from socket failed: %.100s",=20 > strerror(errno)); > + } > /* Append it to the buffer. */ > packet_process_incoming(buf, len); > } >=20 > But like I said: The code I found at openssh was so totally different=20 > that I did not continued this track, but chose to start running openssh=20 > from ports. Which does not generate warnings I have questions about the=20 > originating ip-nr. >=20 > >> Are they still willing to accept changes to the old version that is > >> currently in base? > > > > No, why would they do that? >=20 > Exactly my question.... > I guess I misinterpreted your suggestion on upstreaming patches. >=20 > --WjW >=20 I honestly think everyone would be better served by porting blacklistd from NetBSD than trying to increase verbosity for log files. --=20 Mark Felder ports-secteam member feld@FreeBSD.org From owner-freebsd-security@freebsd.org Tue Nov 10 17:09:11 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C085A2BEEF; Tue, 10 Nov 2015 17:09:11 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3767C17F8; Tue, 10 Nov 2015 17:09:10 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4FD4B28428; Tue, 10 Nov 2015 18:09:02 +0100 (CET) Received: from illbsd.quip.test (ip-89-177-49-111.net.upcbroadband.cz [89.177.49.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 90F9A2840C; Tue, 10 Nov 2015 18:09:00 +0100 (CET) Message-ID: <564224A8.6030507@quip.cz> Date: Tue, 10 Nov 2015 18:08:56 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: Mark Felder , Willem Jan Withagen , =?UTF-8?Q?Dag-Erling_Sm=c3=b8r?= =?UTF-8?Q?grav?= CC: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no> <5641D419.5090103@digiware.nl> <1447171330.3672217.435085401.40D8E7F2@webmail.messagingengine.com> In-Reply-To: <1447171330.3672217.435085401.40D8E7F2@webmail.messagingengine.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 17:09:11 -0000 Mark Felder wrote on 11/10/2015 17:02: [...] >> But like I said: The code I found at openssh was so totally different >> that I did not continued this track, but chose to start running openssh >> from ports. Which does not generate warnings I have questions about the >> originating ip-nr. >> >>>> Are they still willing to accept changes to the old version that is >>>> currently in base? >>> >>> No, why would they do that? >> >> Exactly my question.... >> I guess I misinterpreted your suggestion on upstreaming patches. >> >> --WjW >> > > I honestly think everyone would be better served by porting blacklistd > from NetBSD than trying to increase verbosity for log files. I didn't know blacklistd. It seems very interesting. It would be nice if somebody will port it to FreeBSD. Miroslav Lachman From owner-freebsd-security@freebsd.org Tue Nov 10 17:52:21 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3042A2CC33; Tue, 10 Nov 2015 17:52:21 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BAD2E17B6; Tue, 10 Nov 2015 17:52:21 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id tAAHqGEL089233 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Nov 2015 09:52:16 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id tAAHqG31089232; Tue, 10 Nov 2015 09:52:16 -0800 (PST) (envelope-from jmg) Date: Tue, 10 Nov 2015 09:52:16 -0800 From: John-Mark Gurney To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151110175216.GN65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86io5a9ome.fsf@desk.des.no> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Tue, 10 Nov 2015 09:52:16 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 17:52:22 -0000 Dag-Erling Smrgrav wrote this message on Tue, Nov 10, 2015 at 10:42 +0100: > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). My vote is to remove the HPN patches. First, the NONE cipher made more sense back when we didn't have AES-NI widely available, and you were seriously limited by it's performance. Now we have both aes-gcm and chacha-poly which it's performance should be more than acceptable for today's uses (i.e. cipher performance is 2GB/sec+). Second, I did some testing recently due to a thread on -net, and I found no significant (not run statistically though) difference in performance between in HEAD ssh and OpenSSH 7.1p1. I started a wiki page to talk about this: https://wiki.freebsd.org/SSHPerf Feel free to add to the page any more info. There are other apparent issues w/ ssh that keeps it's performance low on high latency links, but I haven't spend the time to figure out what they are, but in my testing HPN did not increase performance to make use of the fat but high latency link. So, if it's not increasing performance and making us fall behind, why bother with the trouble of keeping the patch? If someone is willing to spend the time doing benchmarks, and prove that the HPN patches do make a difference, I'm willing to work with them to figure out why my tests didn't work and change my vote. I also believe that the defaults should be enough, if you have to tune or enable features, then you can install from ports or compile yourself. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Tue Nov 10 17:22:22 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B996A2C3E6; Tue, 10 Nov 2015 17:22:22 +0000 (UTC) (envelope-from michael+lists@burnttofu.net) Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "burnttofu.net", Issuer "burnttofu.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 67AE4127C; Tue, 10 Nov 2015 17:22:22 +0000 (UTC) (envelope-from michael+lists@burnttofu.net) Received: from schuylkill.es.net (schuylkill.es.net [198.128.1.116]) (authenticated bits=0) by burnttofu.net (8.15.2/8.14.9) with ESMTPSA id tAAHL0sX054155 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 10 Nov 2015 12:21:01 -0500 (EST) (envelope-from michael+lists@burnttofu.net) Subject: Re: OpenSSH HPN To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org References: <86io5a9ome.fsf@desk.des.no> From: Michael Sinatra Message-ID: <5642277C.8010905@burnttofu.net> Date: Tue, 10 Nov 2015 09:21:00 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86io5a9ome.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (burnttofu.net [162.217.113.18]); Tue, 10 Nov 2015 12:21:02 -0500 (EST) X-Mailman-Approved-At: Tue, 10 Nov 2015 17:53:00 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 17:22:22 -0000 On 11/10/15 1:42 AM, Dag-Erling Smørgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). My current employer is a big proponent of HPN (see http://fasterdata.es.net/data-transfer-tools/scp-and-sftp/). However, I agree that the difficulty of patching to the changing upstream is significant. Frankly, I am quite impressed that you have been able to keep up with it for this long. I would be more than happy if the HPN patches continued to be in the port version and base were able to keep up with the upstream by removing the HPN dependency. There will be some places where we will notice the difference in performance; in those cases we will install the HPN-patched port. michael From owner-freebsd-security@freebsd.org Wed Nov 11 01:41:16 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EE1DA2A80F; Wed, 11 Nov 2015 01:41:16 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2E46E1F28; Wed, 11 Nov 2015 01:41:12 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id tAB1f3bl094633 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Nov 2015 17:41:03 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id tAB1f2pm094632; Tue, 10 Nov 2015 17:41:02 -0800 (PST) (envelope-from jmg) Date: Tue, 10 Nov 2015 17:41:02 -0800 From: John-Mark Gurney To: Bryan Drewery Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-current@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Re: OpenSSH HPN Message-ID: <20151111014102.GQ65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56428C84.8050600@FreeBSD.org> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Tue, 10 Nov 2015 17:41:03 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 01:41:16 -0000 Bryan Drewery wrote this message on Tue, Nov 10, 2015 at 16:32 -0800: > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > My vote is to remove the HPN patches. First, the NONE cipher made more > > sense back when we didn't have AES-NI widely available, and you were > > seriously limited by it's performance. Now we have both aes-gcm and > > chacha-poly which it's performance should be more than acceptable for > > today's uses (i.e. cipher performance is 2GB/sec+). > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > for me. Different layers of protection... Do you disable all encryption when you're transiting trusted networks like your VPN? If you don't, why is that ssh session so special? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Wed Nov 11 00:29:20 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA454A2C8B4; Wed, 11 Nov 2015 00:29:20 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 9EEDA1C0E; Wed, 11 Nov 2015 00:29:20 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 9584316B0; Wed, 11 Nov 2015 00:29:20 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 4079115E5B; Wed, 11 Nov 2015 00:29:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id NU1mRm37o6jd; Wed, 11 Nov 2015 00:29:17 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 82CCA15E52 To: Willem Jan Withagen , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgra?= =?UTF-8?Q?v?= References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Bryan Drewery Organization: FreeBSD Message-ID: <56428BDC.1040402@FreeBSD.org> Date: Tue, 10 Nov 2015 16:29:16 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5641D00E.501@digiware.nl> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 11 Nov 2015 02:03:09 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 00:29:20 -0000 On 11/10/15 3:07 AM, Willem Jan Withagen wrote: > Which when I found out that upstreaming patches from base will be hard, > because the whole logging in the ports version is totally different. No it's not. The HPN patch in the ports version had *extra logging* for a while but that is not the case now. There is nothing different compared to upstream OpenSSH now for logging. -- Regards, Bryan Drewery From owner-freebsd-security@freebsd.org Wed Nov 11 00:32:07 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F143A2C9B0; Wed, 11 Nov 2015 00:32:07 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8DD581F45; Wed, 11 Nov 2015 00:32:07 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 837B817BA; Wed, 11 Nov 2015 00:32:07 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 3FBBF15E83; Wed, 11 Nov 2015 00:32:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id qqn1zug6l4wD; Wed, 11 Nov 2015 00:32:05 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com A8CE515E7C To: John-Mark Gurney , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org From: Bryan Drewery Organization: FreeBSD Message-ID: <56428C84.8050600@FreeBSD.org> Date: Tue, 10 Nov 2015 16:32:04 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151110175216.GN65715@funkthat.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 11 Nov 2015 02:03:17 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 00:32:07 -0000 On 11/10/15 9:52 AM, John-Mark Gurney wrote: > My vote is to remove the HPN patches. First, the NONE cipher made more > sense back when we didn't have AES-NI widely available, and you were > seriously limited by it's performance. Now we have both aes-gcm and > chacha-poly which it's performance should be more than acceptable for > today's uses (i.e. cipher performance is 2GB/sec+). AES-NI doesn't help the absurdity of double-encrypting when using scp or rsync/ssh over an encrypted VPN, which is where NONE makes sense to use for me. -- Regards, Bryan Drewery From owner-freebsd-security@freebsd.org Wed Nov 11 00:40:47 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2571CA2CB33; Wed, 11 Nov 2015 00:40:47 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 13F871204; Wed, 11 Nov 2015 00:40:47 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 0AE501970; Wed, 11 Nov 2015 00:40:47 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id C505315EA3; Wed, 11 Nov 2015 00:40:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id 6mvTNj2odOCA; Wed, 11 Nov 2015 00:40:43 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 1802315E9C To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org References: <86io5a9ome.fsf@desk.des.no> From: Bryan Drewery X-Enigmail-Draft-Status: N1110 Organization: FreeBSD Message-ID: <56428E8A.3090201@FreeBSD.org> Date: Tue, 10 Nov 2015 16:40:42 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86io5a9ome.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Wed, 11 Nov 2015 02:03:24 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 00:40:47 -0000 On 11/10/15 1:42 AM, Dag-Erling Sm=C3=B8rgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. >=20 > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. >=20 > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like i= n > base). >=20 > DES >=20 I had this same problem as well, but have since reworked the HPN patch for ports to be more easily maintained. I've considered offering or just updating the base SSH, but have not since we have random changes in the HPN functionality in base that would be lost. We for some reason decided we were going to maintain our own version and not even upstream the changes to the HPN authors which has contributed to this situation. Anyway, reverting the base SSH to stock, and then importing all patches from the ports default version should result in the same base patches applied and a working HPN. I've kept the port version up-to-date with all base changes applied as well (short of HPN customizations we made that are not worth keeping) A lot of people pressured me to remove HPN as default from the port (during times that I was too busy to rework the patch for the latest OpenSSH) but I persisted in keeping it due to it being enabled in base. If we really remove it from base I may disable it in the port as well as a default. I personally find the feature worth keeping. Seeing recent benchmarks would be a good idea, but the overall patch is quite simple and non-complex. It's now split up with defines for each feature so they can be disabled at compile time. See /usr/ports/security/openssh-portable/files/extra-patch-hpn. There is HPN_ENABLED and NONE_CIPHER_ENABLED. It's really quite a simple and small patch after removing all of the bogus changes (which I did upstream, and did apply to the base HPN as well) and the logging changes (which were far too intrusive to maintain). --=20 Regards, Bryan Drewery From owner-freebsd-security@freebsd.org Wed Nov 11 00:44:12 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87FFDA2CCBE; Wed, 11 Nov 2015 00:44:12 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 77401182F; Wed, 11 Nov 2015 00:44:12 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 6E6511BA6; Wed, 11 Nov 2015 00:44:12 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 3060615EC2; Wed, 11 Nov 2015 00:44:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id MjkMvUTmylUc; Wed, 11 Nov 2015 00:44:10 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com B975815EBA To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> From: Bryan Drewery Organization: FreeBSD Message-ID: <56428F59.5010908@FreeBSD.org> Date: Tue, 10 Nov 2015 16:44:09 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <56428E8A.3090201@FreeBSD.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 11 Nov 2015 02:03:29 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 00:44:12 -0000 On 11/10/15 4:40 PM, Bryan Drewery wrote: > Anyway, reverting the base SSH to stock, and then importing all patches > from the ports default version should result in the same base patches > applied and a working HPN. Actually I am missing the client-side VersionAddendum support (ssh.c). I only have server-side (sshd.c). This is just due to lack of motivation to import the changes. -- Regards, Bryan Drewery From owner-freebsd-security@freebsd.org Wed Nov 11 07:59:35 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB98BA2B2C5; Wed, 11 Nov 2015 07:59:35 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8452F175A; Wed, 11 Nov 2015 07:59:35 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id tAB7xUms098970 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Nov 2015 23:59:30 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id tAB7xUYx098969; Tue, 10 Nov 2015 23:59:30 -0800 (PST) (envelope-from jmg) Date: Tue, 10 Nov 2015 23:59:30 -0800 From: John-Mark Gurney To: Ben Woods Cc: Bryan Drewery , Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" Subject: Re: OpenSSH HPN Message-ID: <20151111075930.GR65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Tue, 10 Nov 2015 23:59:31 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 07:59:35 -0000 Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > On Wednesday, 11 November 2015, Bryan Drewery wrote: > > > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > > My vote is to remove the HPN patches. First, the NONE cipher made more > > > sense back when we didn't have AES-NI widely available, and you were > > > seriously limited by it's performance. Now we have both aes-gcm and > > > chacha-poly which it's performance should be more than acceptable for > > > today's uses (i.e. cipher performance is 2GB/sec+). > > > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > > for me. > > I have to agree that there are cases when the NONE cipher makes sense, and > it is up to the end user to make sure they know what they are doing. > > Personally I have used it at home to backup my old FreeBSD server (which > does not have AESNI) over a dedicated network connection to a backup server > using rsync/ssh. Since it was not possible for anyone else to be on that > local network, and the server was so old it didn't have AESNI and would > soon be retired, using the NONE cipher sped up the transfer significantly. If you have a trusted network, why not just use nc? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Wed Nov 11 08:55:38 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C0355A2B1D5 for ; Wed, 11 Nov 2015 08:55:38 +0000 (UTC) (envelope-from m@micheas.net) Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8E63C1C24 for ; Wed, 11 Nov 2015 08:55:38 +0000 (UTC) (envelope-from m@micheas.net) Received: by igvi2 with SMTP id i2so115588477igv.0 for ; Wed, 11 Nov 2015 00:55:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=micheas_net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=eOOrYe7S/mYojoXXk5gb2+sYSoQXstIEEqCyf1T84qI=; b=grfqxUH80Uzs6/uGnE51xBXAyMunmYJcJSujS63gMHhZjpSJJLwkdyh6Kw2yLU4Iqt f8B44Hzh77nOZm87So3/bkYy/k9wWqOcOSE24wZREdNqY0Elx9XiR6bOm+DvG7mflmCZ z8RLVAH9DdlfPU6q2yTGBQCJx3q53DqM+1cT+e6MmjDff8IQQYSGB1+mqmYALI4zxlsI BzSZQJ+XYASS7s/qwG0mI/fcTOLjww0NrTbW9niYcBFFBkzGMYfT86L/O8njvlqAaJmp jrgnp7wleE+6emF/AfRGbGAHt/SN7S8d4hjD5olq3fqY47oNfRGLJxj+JWzYcRefbjmN N0gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=eOOrYe7S/mYojoXXk5gb2+sYSoQXstIEEqCyf1T84qI=; b=LRA5UzxfZw+roeJAS40giuSfvJDlZ2ak3nKfyZNZtWqUmvZ3mjtYXrWT2uSVu52P3T CjIn3ahgxM9S8+6ilLcpxrod12bkh3+oeJ3jnQ1U1hQNutodZXd4U49gvmGDTiryY65c ZAv13tWcQC6FAELu+qDsrXFqwSvfpU6gsKGuZeVQqaN3aSWV9P8bK33vX3OyZr9RBDTx JT21xktdY+jt/MpttEHBcYVs7h0viJghBnZolAPbXVkDAVCFUu9k4mRlOA6ZSPKD1agp qEjPf/2qLYGDE3TdxG7NHhZwXTM5sw0uDDbgLVCo6Va3Jzv9msnPZhMG0M0Rrq1f1hLG 4mVg== X-Gm-Message-State: ALoCoQnpTQYx8kP/eF0x5qdycHWHDA70XnB8Z7C8v3AHvc5ADJ6S5FXnlsGRz4msFGkYzpeZJkq/ X-Received: by 10.50.67.18 with SMTP id j18mr31421309igt.43.1447232137445; Wed, 11 Nov 2015 00:55:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.105.65 with HTTP; Wed, 11 Nov 2015 00:55:18 -0800 (PST) In-Reply-To: <20151111075930.GR65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> From: Micheas Herman Date: Wed, 11 Nov 2015 00:55:18 -0800 Message-ID: Subject: Re: OpenSSH HPN To: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 08:55:38 -0000 On Tue, Nov 10, 2015 at 11:59 PM, John-Mark Gurney wrote: > > > > If you have a trusted network, why not just use nc? Defense in depth for starters. The ipfw how to guide I learned from years ago, started with the statement that a firewall should be a shield in front of machines that don't need the shield. Security is hard, and you will get it wrong (everyone does), accidentally exposing an encrypted stream is much less of a mistake than exposing a plaint text stream. > > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Wed Nov 11 09:04:42 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2AB9CA2B747; Wed, 11 Nov 2015 09:04:42 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id DB5C71203; Wed, 11 Nov 2015 09:04:41 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id A6D422409; Wed, 11 Nov 2015 09:04:38 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 54E943F9AB; Wed, 11 Nov 2015 10:04:36 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ben Woods Cc: Bryan Drewery , John-Mark Gurney , "freebsd-current\@freebsd.org" , "freebsd-security\@freebsd.org" Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> Date: Wed, 11 Nov 2015 10:04:36 +0100 In-Reply-To: (Ben Woods's message of "Wed, 11 Nov 2015 15:40:10 +0800") Message-ID: <86fv0c9aaj.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 09:04:42 -0000 Ben Woods writes: > Personally I have used it at home to backup my old FreeBSD server > (which does not have AESNI) over a dedicated network connection to a > backup server using rsync/ssh. Since it was not possible for anyone > else to be on that local network, and the server was so old it didn't > have AESNI and would soon be retired, using the NONE cipher sped up > the transfer significantly. In that scenario, you don't need ssh at all. Just set up rsyncd on the backup server. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Nov 11 09:23:58 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3611FA2BBF3; Wed, 11 Nov 2015 09:23:58 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E73171D13; Wed, 11 Nov 2015 09:23:57 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 7B3C82442; Wed, 11 Nov 2015 09:23:55 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 184403F9B1; Wed, 11 Nov 2015 10:23:53 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Bryan Drewery Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> Date: Wed, 11 Nov 2015 10:23:53 +0100 In-Reply-To: <56428F59.5010908@FreeBSD.org> (Bryan Drewery's message of "Tue, 10 Nov 2015 16:44:09 -0800") Message-ID: <86y4e47uty.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 09:23:58 -0000 Bryan Drewery writes: > Actually I am missing the client-side VersionAddendum support (ssh.c). I > only have server-side (sshd.c). This is just due to lack of motivation > to import the changes. Pretty sure I sent Damien the patch a few years ago... There was also a bug in the server-side code (IIRC, one place where it printed only the hardcoded version instead of the variable string). I'll try again. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Nov 11 09:27:10 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 63E49A2BD35; Wed, 11 Nov 2015 09:27:10 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F0F41F58; Wed, 11 Nov 2015 09:27:09 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tAB9QsQN091726 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 11 Nov 2015 01:26:57 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: OpenSSH HPN To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org References: <86io5a9ome.fsf@desk.des.no> From: Julian Elischer Message-ID: <564309D8.7020307@freebsd.org> Date: Wed, 11 Nov 2015 17:26:48 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86io5a9ome.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 09:27:10 -0000 On 11/10/15 5:42 PM, Dag-Erling Smørgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). > > DES The inclusion of the HPN patches meant that we could drop a custom unsupported HPN enabled ssh from our build process. It makes ssh actually usable. Without it we need to keep integrating HPN ever time ssh is upgraded. We were SO HAPPY when it came in by default. From owner-freebsd-security@freebsd.org Wed Nov 11 11:33:21 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49515A2C1AA; Wed, 11 Nov 2015 11:33:21 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2317E198C; Wed, 11 Nov 2015 11:33:20 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tABBXAPI092453 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 11 Nov 2015 03:33:13 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: OpenSSH HPN To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , Bob Bishop References: <86io5a9ome.fsf@desk.des.no> <261DDEE0-B792-4715-A8EF-27E491122BD2@gid.co.uk> <861tby9k9s.fsf@desk.des.no> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Julian Elischer Message-ID: <56432770.7030600@freebsd.org> Date: Wed, 11 Nov 2015 19:33:04 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <861tby9k9s.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 11:33:21 -0000 On 11/10/15 7:16 PM, Dag-Erling Smørgrav wrote: > Bob Bishop writes: >> Is removing HPN going to impact the performance of tunnelled X >> connexions? yes if your rtt is greater than about 85 mSec I don't know he details but I noticed a big difference. I had thought X wouldn't show much difference but in fact it did. At work we had to add HPN to get anything like acceptable performance on various tunnels our appliance uses. > I don't think so. It mostly affects the performance of long > unidirectional streams (file transfers) whereas the X protocol, as far > as I know, is a bidirectional exchange of relatively short messages. It > may make a difference for applications that transfer large textures... > I don't really know enough about the X protocol to say for certain, but > I am typing this in Emacs over a non-HPN SSH connection, and I regularly > tunnel Firefox between the same two machines (RHEL 7 desktop at work and > FreeBSD 10 desktop at home). > > DES From owner-freebsd-security@freebsd.org Wed Nov 11 11:56:10 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB6DCA2C6CE; Wed, 11 Nov 2015 11:56:10 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id A302E157F; Wed, 11 Nov 2015 11:56:10 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 7A80F279B; Wed, 11 Nov 2015 11:56:08 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 621003F9C4; Wed, 11 Nov 2015 12:56:06 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Julian Elischer Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <564309D8.7020307@freebsd.org> Date: Wed, 11 Nov 2015 12:56:06 +0100 In-Reply-To: <564309D8.7020307@freebsd.org> (Julian Elischer's message of "Wed, 11 Nov 2015 17:26:48 +0800") Message-ID: <86twos7ns9.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 11:56:11 -0000 Julian Elischer writes: > The inclusion of the HPN patches meant that we could drop a custom > unsupported HPN enabled ssh from our build process. It makes ssh > actually usable. Define "usable". Does it actually make a measurable difference with the latest OpenSSH? And if HPN is so important to you, is there a reason why you can't use the port? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Nov 11 07:40:13 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E863EA2BFAA; Wed, 11 Nov 2015 07:40:13 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 706481EDF; Wed, 11 Nov 2015 07:40:13 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by lbbkw15 with SMTP id kw15so12259701lbb.0; Tue, 10 Nov 2015 23:40:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9HxL4Br4fIa8zjVXaHUK67u6UEqf4xng/j8AEXqTge8=; b=za2GqfUnocGY20BOQlul7kjoFiJdyC6Iiq8iuhgtWkDBmx1QtP+S+hXWGVji9erQd6 trG8BZC5xI8ZH2DltqTua5fqScv2AUNovOcOCbGJs1T7w5jBO2YigvcX2sh4mNvu/Udr Fiu00fTcah9TKXrt0W85YNG8x7UWUVHONLbtn3iNqRxqnhVkFVq6mSQHSx4u82UU8uh+ 05kQrNRqrHsj4UtTRZ+4abcuFsnV3G4Qde7JEjQ27Z6swRvT/tjItS3vLsePaao9vDXI dLsJLH8HWqu6vORNlJxIWFRCdinXy60IEbF/TZvPYqwgoT0qAn5EZGRBzh6x3RzaDdvo kb3w== MIME-Version: 1.0 X-Received: by 10.112.150.201 with SMTP id uk9mr3610651lbb.67.1447227610968; Tue, 10 Nov 2015 23:40:10 -0800 (PST) Received: by 10.25.141.129 with HTTP; Tue, 10 Nov 2015 23:40:10 -0800 (PST) In-Reply-To: <56428C84.8050600@FreeBSD.org> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> Date: Wed, 11 Nov 2015 15:40:10 +0800 Message-ID: Subject: Re: OpenSSH HPN From: Ben Woods To: Bryan Drewery Cc: John-Mark Gurney , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" X-Mailman-Approved-At: Wed, 11 Nov 2015 12:21:19 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 07:40:14 -0000 On Wednesday, 11 November 2015, Bryan Drewery wrote: > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > My vote is to remove the HPN patches. First, the NONE cipher made more > > sense back when we didn't have AES-NI widely available, and you were > > seriously limited by it's performance. Now we have both aes-gcm and > > chacha-poly which it's performance should be more than acceptable for > > today's uses (i.e. cipher performance is 2GB/sec+). > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > for me. > I have to agree that there are cases when the NONE cipher makes sense, and it is up to the end user to make sure they know what they are doing. Personally I have used it at home to backup my old FreeBSD server (which does not have AESNI) over a dedicated network connection to a backup server using rsync/ssh. Since it was not possible for anyone else to be on that local network, and the server was so old it didn't have AESNI and would soon be retired, using the NONE cipher sped up the transfer significantly. If the patch is made easy enough to maintain (as some subsequent posts have implied), I quote the NONE cipher stays. I would even like to see it compiled in by default (but disabled in the default configuration file). That way you wouldn't need a custom compiled base to use it - just edit the config file. Regards, Ben -- -- From: Benjamin Woods woodsb02@gmail.com From owner-freebsd-security@freebsd.org Wed Nov 11 08:27:11 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 76C66A1F9BE; Wed, 11 Nov 2015 08:27:11 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F0EFF1D32; Wed, 11 Nov 2015 08:27:10 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by lbbcs9 with SMTP id cs9so12758784lbb.1; Wed, 11 Nov 2015 00:27:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2C22Uo5AO4RX3g4AS5Q6XwewFxHplvlCR9aQtSHQBxs=; b=fKHuQWXs1+8TBRiz/lojlt+NPTfxnYUtBZVqN6FyEPMM+nil0qVVpml/yubl574RkV cvuwHEPCG8sNv4a3anzaFe9ZJFcQl1ZWQiRjQKDdmEMCvk5WKm1XPZDHzQQqVFBo9l8C 8XdL86l8VDZ2Kx92mhVl6HYtam7URZS3Z5hbZZGCCugEJV6WmMi8l+7PyKZC3HaIXj4n porfDDZUMzHcThRDc8ITu6c+158Gggg2wc9mzPPVbAaJ6b/6D72KI5QgiKZK85mE+VmO 2FBv3oXzJy7kWoLKdDd8LpZe9GCYX8k2PytkXyv6S7/OZT/jlhxT58phJRjUDcFDx8Sf v53g== MIME-Version: 1.0 X-Received: by 10.112.140.197 with SMTP id ri5mr3904385lbb.65.1447230428669; Wed, 11 Nov 2015 00:27:08 -0800 (PST) Received: by 10.25.141.129 with HTTP; Wed, 11 Nov 2015 00:27:08 -0800 (PST) In-Reply-To: <20151111075930.GR65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> Date: Wed, 11 Nov 2015 16:27:08 +0800 Message-ID: Subject: Re: OpenSSH HPN From: Ben Woods To: John-Mark Gurney Cc: Bryan Drewery , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" X-Mailman-Approved-At: Wed, 11 Nov 2015 12:21:29 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 08:27:11 -0000 On Wednesday, 11 November 2015, John-Mark Gurney wrote: > Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > > I have to agree that there are cases when the NONE cipher makes sense, > and > > it is up to the end user to make sure they know what they are doing. > > > > Personally I have used it at home to backup my old FreeBSD server (which > > does not have AESNI) over a dedicated network connection to a backup > server > > using rsync/ssh. Since it was not possible for anyone else to be on that > > local network, and the server was so old it didn't have AESNI and would > > soon be retired, using the NONE cipher sped up the transfer > significantly. > > If you have a trusted network, why not just use nc? > Honest answer: ignorance of how I can use netcat together with rsync. -- -- From: Benjamin Woods woodsb02@gmail.com From owner-freebsd-security@freebsd.org Wed Nov 11 08:55:36 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B03B8A2B1B6 for ; Wed, 11 Nov 2015 08:55:36 +0000 (UTC) (envelope-from jbirch@jbirch.net) Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 74E571C1F for ; Wed, 11 Nov 2015 08:55:36 +0000 (UTC) (envelope-from jbirch@jbirch.net) Received: by oixx65 with SMTP id x65so838377oix.0 for ; Wed, 11 Nov 2015 00:55:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jbirch_net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dX7TfI+aBSlR3O06fh/6rQVWA5oMyEcpM8yWY6dJD+4=; b=iaqOjogRtnM9rQvkoSZ7sMi+lmIhm0sJe6ipo0u4Td+/+BOk+x3oA6CNHubDTYf+gH H8lHSWAqiOUv2iyfdFEtJcIHQobonYLnX1cSOThmzhmoVyDrElpRxE/sqBEaq+E33nVa 56uSt+E40STXPPhKwvZrob3KI3CSIFpCtjmaPar9xE1RSSolP6kk+AGZwDrvsKwDIOGK sGCLqxrWLI2ffhzFZnO+Jf+w75fUdpFsK4dC65qxIUow6uik3bhQL2f6MxHo+omsQyHp sY7cgT2tMrG20pngdd1W8E4ZYO5v+xerBcu8c7MEY61VqKYZnmJtv2317fBYkZgtLQcG 1NGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=dX7TfI+aBSlR3O06fh/6rQVWA5oMyEcpM8yWY6dJD+4=; b=cqPtNOScWsGNCQI5eLB2MggmMQF/2rxCZtkhPghiN/CcK6xq8jytWQpqU3QKglA1ro L+nnROlAseEChe4/Sb5LzZ9iZqfzhkJ8mRM6T7gq7YN2qY8Wo+VedL9PLZklMt3Xs5eZ 7dDXbxyssmDenZ3HgsPiK9hf1rg+30TdYn+PHyjSD2D6iU82KKDUWO+k8qtLGXp4hxgo ub98LGjKYq2I3/3fArVp7PDo2foYeR0bifnv5ore1N5LDaInEduOPC2WKo82woNlZQHF cdSWB/EnXof8lERUs6Cs2wxErASEwSnIGH4Zt4t8Vmobf6ZMP8uMMRLM4JMSmGXRhOuq vG7A== X-Gm-Message-State: ALoCoQkCMpe1oub5/Bj0LE4ypPTfVULeVpwUL7ms9J0mw0hh81uB/aqE7q6iTiE5bxa0O8DTE1B/ MIME-Version: 1.0 X-Received: by 10.202.213.133 with SMTP id m127mr4249445oig.26.1447232135507; Wed, 11 Nov 2015 00:55:35 -0800 (PST) Received: by 10.182.245.232 with HTTP; Wed, 11 Nov 2015 00:55:35 -0800 (PST) X-Originating-IP: [104.192.142.137] In-Reply-To: <20151111075930.GR65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> Date: Wed, 11 Nov 2015 19:55:35 +1100 Message-ID: Subject: Re: OpenSSH HPN From: Jason Birch To: John-Mark Gurney Cc: Ben Woods , Bryan Drewery , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Wed, 11 Nov 2015 12:21:40 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 08:55:36 -0000 On Wed, Nov 11, 2015 at 6:59 PM, John-Mark Gurney wrote: > If you have a trusted network, why not just use nc? Perhaps more generally relevant is that ssh/scp are *waves hands* vaguely analogous to secure versions of rsh/rlogin/rcp. I'd think that most cases of "I wanted to send files and invoke some commands on a remote machine, and due to $CIRCUMSTANCE I don't need or desire encryption" are covered by the older, also standard tools. Additionally, rsync can use rsh as its transport, for users who desire more advanced behaviour. ssh just seems to have more support; Installation will ask you if you'd like to run sshd (not rshd), ssh is rather ubiquitous as a way of "doing a thing remotely" (even in Windows soon!), etc. This is a good default to have; the overhead of security is tiny in nearly all cases. It would seem then that the extra complexity of maintenance development in supporting NONE in base doesn't really grant us any additional functionality in most cases. It's just more 'obvious'. From owner-freebsd-security@freebsd.org Wed Nov 11 12:32:59 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0DBFA2B8B7; Wed, 11 Nov 2015 12:32:59 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9DE47121C; Wed, 11 Nov 2015 12:32:59 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZwUa1-000O39-K7; Wed, 11 Nov 2015 15:32:49 +0300 Date: Wed, 11 Nov 2015 15:32:49 +0300 From: Slawa Olhovchenkov To: John-Mark Gurney Cc: Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151111123249.GC48728@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151110175216.GN65715@funkthat.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 12:33:00 -0000 On Tue, Nov 10, 2015 at 09:52:16AM -0800, John-Mark Gurney wrote: > Dag-Erling Smrgrav wrote this message on Tue, Nov 10, 2015 at 10:42 +0100: > > Therefore, I would like to remove the HPN patches from base and refer > > anyone who really needs them to the openssh-portable port, which has > > them as a default option. I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). > > My vote is to remove the HPN patches. First, the NONE cipher made more > sense back when we didn't have AES-NI widely available, and you were > seriously limited by it's performance. Now we have both aes-gcm and > chacha-poly which it's performance should be more than acceptable for > today's uses (i.e. cipher performance is 2GB/sec+). > > Second, I did some testing recently due to a thread on -net, and I > found no significant (not run statistically though) difference in > performance between in HEAD ssh and OpenSSH 7.1p1. I started a wiki > page to talk about this: > https://wiki.freebsd.org/SSHPerf Hmm, I see in this page max speed 20MB/sec. This is too small. What is problem? With modern 40G NIC wanted speed about 20Gbit/s. 10Gbit/s at least. From owner-freebsd-security@freebsd.org Wed Nov 11 12:38:16 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3876AA2BA66; Wed, 11 Nov 2015 12:38:16 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E730F175A; Wed, 11 Nov 2015 12:38:15 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZwUfF-000OAk-My; Wed, 11 Nov 2015 15:38:13 +0300 Date: Wed, 11 Nov 2015 15:38:13 +0300 From: Slawa Olhovchenkov To: John-Mark Gurney Cc: Ben Woods , "freebsd-security@freebsd.org" , Dag-Erling =?utf-8?B?U23DuHJncmF2?= , "freebsd-current@freebsd.org" , Bryan Drewery Subject: Re: OpenSSH HPN Message-ID: <20151111123813.GD48728@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151111075930.GR65715@funkthat.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 12:38:16 -0000 On Tue, Nov 10, 2015 at 11:59:30PM -0800, John-Mark Gurney wrote: > Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > > On Wednesday, 11 November 2015, Bryan Drewery wrote: > > > > > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > > > My vote is to remove the HPN patches. First, the NONE cipher made more > > > > sense back when we didn't have AES-NI widely available, and you were > > > > seriously limited by it's performance. Now we have both aes-gcm and > > > > chacha-poly which it's performance should be more than acceptable for > > > > today's uses (i.e. cipher performance is 2GB/sec+). > > > > > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > > > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > > > for me. > > > > I have to agree that there are cases when the NONE cipher makes sense, and > > it is up to the end user to make sure they know what they are doing. > > > > Personally I have used it at home to backup my old FreeBSD server (which > > does not have AESNI) over a dedicated network connection to a backup server > > using rsync/ssh. Since it was not possible for anyone else to be on that > > local network, and the server was so old it didn't have AESNI and would > > soon be retired, using the NONE cipher sped up the transfer significantly. > > If you have a trusted network, why not just use nc? I think you kidding: - scp need only one command on initiator side and no additional setup on target. simple, well know. - nc need additional work on target, need synchronization for file names with target, also need ssh to target for start, etc... Too complex. From owner-freebsd-security@freebsd.org Wed Nov 11 14:59:09 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 264D2A2B813; Wed, 11 Nov 2015 14:59:09 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D9FB81E37; Wed, 11 Nov 2015 14:59:08 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 3E46C2993; Wed, 11 Nov 2015 14:59:06 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 988513F9DF; Wed, 11 Nov 2015 15:58:59 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Julian Elischer Cc: Bob Bishop , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <261DDEE0-B792-4715-A8EF-27E491122BD2@gid.co.uk> <861tby9k9s.fsf@desk.des.no> <56432770.7030600@freebsd.org> Date: Wed, 11 Nov 2015 15:58:59 +0100 In-Reply-To: <56432770.7030600@freebsd.org> (Julian Elischer's message of "Wed, 11 Nov 2015 19:33:04 +0800") Message-ID: <86egfw7fbg.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 14:59:09 -0000 Julian Elischer writes: > Bob Bishop writes: > > Is removing HPN going to impact the performance of tunnelled X > > connexions? > yes if your rtt is greater than about 85 mSec With an RTT of 85 ms, X is unusable with or without HPN. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Nov 11 15:08:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 85106A2BB44; Wed, 11 Nov 2015 15:08:31 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 606761945; Wed, 11 Nov 2015 15:08:31 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tABF8MkN093237 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 11 Nov 2015 07:08:25 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: OpenSSH HPN To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <86io5a9ome.fsf@desk.des.no> <564309D8.7020307@freebsd.org> <86twos7ns9.fsf@desk.des.no> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Julian Elischer Message-ID: <564359E0.40302@freebsd.org> Date: Wed, 11 Nov 2015 23:08:16 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86twos7ns9.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 15:08:31 -0000 On 11/11/15 7:56 PM, Dag-Erling Smørgrav wrote: > Julian Elischer writes: >> The inclusion of the HPN patches meant that we could drop a custom >> unsupported HPN enabled ssh from our build process. It makes ssh >> actually usable. > Define "usable". Does it actually make a measurable difference with the > latest OpenSSH? And if HPN is so important to you, is there a reason > why you can't use the port? useable.. able to use more than 5% of the available bandwidth. Our environment is not freeBSD exactly. many ports won't compile and we don't have ports in our setup (I didn't do it.. don't blame me) But we do and can compile FreeBSD sourcers so ssh from src is an easy recompile or just a binary drop in. We used to do it by hand from sources ftp'd from OpenBSD and compiled straight (no ports), but since it came to have HPN all that went away because the in-tree one worked for us. Now we'll have to resurrect all that framework and pain. have you mentioned this plan to Brooks? Didn't he add it? > > DES From owner-freebsd-security@freebsd.org Wed Nov 11 15:22:48 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0CA5A2BF49; Wed, 11 Nov 2015 15:22:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id AA9FF1164; Wed, 11 Nov 2015 15:22:48 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 906522A36; Wed, 11 Nov 2015 15:22:47 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 648FD3F9E6; Wed, 11 Nov 2015 16:22:40 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Julian Elischer Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <564309D8.7020307@freebsd.org> <86twos7ns9.fsf@desk.des.no> <564359E0.40302@freebsd.org> Date: Wed, 11 Nov 2015 16:22:40 +0100 In-Reply-To: <564359E0.40302@freebsd.org> (Julian Elischer's message of "Wed, 11 Nov 2015 23:08:16 +0800") Message-ID: <8661187e7z.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 15:22:49 -0000 Julian Elischer writes: > Now we'll have to resurrect all that framework and pain. I guess pain is fine as long as it's not yours... > have you mentioned this plan to Brooks? Didn't he add it? These are public lists, but by all means, mention it to him if he hasn't noticed this thread. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Nov 11 16:49:18 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F378A2C8D3; Wed, 11 Nov 2015 16:49:18 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 325291100; Wed, 11 Nov 2015 16:49:17 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 9C4EA2BDA; Wed, 11 Nov 2015 16:49:15 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id BD3233F9F0; Wed, 11 Nov 2015 17:49:13 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Daniel Kalchev Cc: Jason Birch , John-Mark Gurney , Ben Woods , Bryan Drewery , "freebsd-current\@freebsd.org" , "freebsd-security\@freebsd.org" Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> Date: Wed, 11 Nov 2015 17:49:13 +0100 In-Reply-To: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> (Daniel Kalchev's message of "Wed, 11 Nov 2015 17:49:52 +0200") Message-ID: <86vb98fpme.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:49:18 -0000 Daniel Kalchev writes: > I must have missed the explanation. But why having a NONE cypher > compiled in, but disabled in the configuration is a bad idea? It increases the cost of maintaining OpenSSH in base noticeably without providing real value unless you are one of the few people who need HPN and lack the CPU power to perform encryption at line speed. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Nov 11 16:51:29 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44E79A2CB03; Wed, 11 Nov 2015 16:51:29 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 0D6F613D4; Wed, 11 Nov 2015 16:51:29 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 731212BE8; Wed, 11 Nov 2015 16:51:28 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id D2EB83F9F3; Wed, 11 Nov 2015 17:51:25 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Bryan Drewery Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> Date: Wed, 11 Nov 2015 17:51:25 +0100 In-Reply-To: <56436F4B.8050002@FreeBSD.org> (Bryan Drewery's message of "Wed, 11 Nov 2015 08:39:39 -0800") Message-ID: <86r3jwfpiq.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:51:29 -0000 Bryan Drewery writes: > Another thing that I did with the port was restore the tcpwrapper > support that upstream removed. Again, if we decide it is not worth > keeping in base I will remove it as default in the port. I want to keep tcpwrapper support - it is another reason why I still haven't upgraded OpenSSH, but to the best of my knowledge, it is far less intrusive than HPN. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Nov 11 17:00:07 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6996A2C2B9; Wed, 11 Nov 2015 17:00:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9DFB51593; Wed, 11 Nov 2015 17:00:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 2BCC625D389C; Wed, 11 Nov 2015 17:00:04 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 61D40C770DC; Wed, 11 Nov 2015 17:00:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id qNq7fqV-Ktla; Wed, 11 Nov 2015 17:00:01 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4420:cabc:c8ff:fe8b:4fe6] (orange-tun0-ula.sbone.de [IPv6:fde9:577b:c1a9:4420:cabc:c8ff:fe8b:4fe6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 1E5A0C770BD; Wed, 11 Nov 2015 17:00:01 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: OpenSSH HPN From: "Bjoern A. Zeeb" In-Reply-To: <56437296.9000709@FreeBSD.org> Date: Wed, 11 Nov 2015 17:00:00 +0000 Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <774F6E78-54B0-44E2-AA4C-52E24CED2095@lists.zabbadoz.net> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <56437296.9000709@FreeBSD.org> To: Bryan Drewery X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 17:00:08 -0000 > On 11 Nov 2015, at 16:53 , Bryan Drewery wrote: >=20 > On 11/11/2015 8:51 AM, Dag-Erling Sm=C3=B8rgrav wrote: >> Bryan Drewery writes: >>> Another thing that I did with the port was restore the tcpwrapper >>> support that upstream removed. Again, if we decide it is not worth >>> keeping in base I will remove it as default in the port. >>=20 >> I want to keep tcpwrapper support - it is another reason why I still >> haven't upgraded OpenSSH, but to the best of my knowledge, it is far >> less intrusive than HPN. >>=20 >=20 > Yes, it's very small. > /usr/ports/security/openssh-portable/files/extra-patch-tcpwrappers And thanks to both of you for keeping it. It=E2=80=99s often the best you can get if you have machines which run = w/o firewalls. Just wanted to say =E2=80=9Cthanks=E2=80=9D! /bz= From owner-freebsd-security@freebsd.org Wed Nov 11 16:39:42 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A910EA2C53F; Wed, 11 Nov 2015 16:39:42 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 906AA1A52; Wed, 11 Nov 2015 16:39:42 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 89C1611A1; Wed, 11 Nov 2015 16:39:42 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 41D0612056; Wed, 11 Nov 2015 16:39:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id vl6QjkRpLD3u; Wed, 11 Nov 2015 16:39:39 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com A25191204F To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <56436F4B.8050002@FreeBSD.org> Date: Wed, 11 Nov 2015 08:39:39 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86y4e47uty.fsf@desk.des.no> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HGPJTFAlaMG2uQlAfF8c6X7aCLhKPhh4x" X-Mailman-Approved-At: Wed, 11 Nov 2015 17:14:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:39:42 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HGPJTFAlaMG2uQlAfF8c6X7aCLhKPhh4x Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/11/2015 1:23 AM, Dag-Erling Sm=C3=B8rgrav wrote: > Bryan Drewery writes: >> Actually I am missing the client-side VersionAddendum support (ssh.c).= I >> only have server-side (sshd.c). This is just due to lack of motivatio= n >> to import the changes. >=20 > Pretty sure I sent Damien the patch a few years ago... There was also = a > bug in the server-side code (IIRC, one place where it printed only the > hardcoded version instead of the variable string). I'll try again. >=20 By the way, I may have come off wrong. I'm willing to do the work to update the base version and put it out for review if you would like. Another thing that I did with the port was restore the tcpwrapper support that upstream removed. Again, if we decide it is not worth keeping in base I will remove it as default in the port. I honestly don't have a strong opinion on keeping or removing HPN. It is afterall available in the port and I intend to keep it as an option there. The question is just what the default is. I prefer to keep the port close to the base version by default options. I never liked the idea of having 2 different things in the ecosystem that behave differently, from OpenSSL to OpenSSH, etc. --=20 Regards, Bryan Drewery --HGPJTFAlaMG2uQlAfF8c6X7aCLhKPhh4x Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWQ29LAAoJEDXXcbtuRpfPy5EH/3559k4KPcNS03ucV9lhbzFc 5ARjMD5uCkmVp/j210oWgX6bwi3tZLSkhSh/pxSmV6Fyf2nisMvRNQ761td3DQr7 8kX1/2sZ8zC37b537YdYGMQFBAL17Kpf6cjklxN1sspAnBgKlJYiXK7ZhFt7MOXt oeuDWXl67N7Z9DVybaZ+PPMWQhASHkVxzx8xNlhD9/mEXb2b0YYW5A4SRbCYn3jB fLE+QMvQgkr1OsVzehTGulmkxFCCbA5WZHyKUlJovuf2JOcOTxqm7WCBLV/CPceY 2PAPDRhuMP0QquakgsS+9qWQgOxdSrAa44YwSEbwQL+BCSjrAcqvM34exEH/amg= =gCL1 -----END PGP SIGNATURE----- --HGPJTFAlaMG2uQlAfF8c6X7aCLhKPhh4x-- From owner-freebsd-security@freebsd.org Wed Nov 11 16:42:55 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2270A2C733; Wed, 11 Nov 2015 16:42:55 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 98B181E48; Wed, 11 Nov 2015 16:42:55 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 92BF312C9; Wed, 11 Nov 2015 16:42:55 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 5F573120CA; Wed, 11 Nov 2015 16:42:55 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id MWZS0K55H-R3; Wed, 11 Nov 2015 16:42:52 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 9975F120C4 To: Willem Jan Withagen References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no> <5641D419.5090103@digiware.nl> <86vb9a8481.fsf@desk.des.no> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <5643700C.2010405@FreeBSD.org> Date: Wed, 11 Nov 2015 08:42:52 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86vb9a8481.fsf@desk.des.no> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bkOl5SUsNoSj6wRttNbb8oxOrmmfLWTCf" X-Mailman-Approved-At: Wed, 11 Nov 2015 17:14:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:42:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --bkOl5SUsNoSj6wRttNbb8oxOrmmfLWTCf Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/10/2015 3:48 AM, Dag-Erling Sm=C3=B8rgrav wrote: > Willem Jan Withagen writes: >> "Dag-Erling Sm=C3=B8rgrav" writes: >>> Willem Jan Withagen writes: >>>> Are they still willing to accept changes to the old version that >>>> is currently in base? >>> No, why would they do that? >> Exactly my question.... I guess I misinterpreted your suggestion on >> upstreaming patches. >=20 > I didn't suggest submitting patches, I suggested submitting a feature > request. Damien is generally pretty open to suggestions. >=20 My own experience here has been positive, both with patches, feature suggestion, and general discussion. The upstream is more open than people may think. --=20 Regards, Bryan Drewery --bkOl5SUsNoSj6wRttNbb8oxOrmmfLWTCf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWQ3AMAAoJEDXXcbtuRpfPd0wH/0qosOaLHAQirU1VmSStQ3w4 +S2cyUdudICsaSbpM0ecwhqZXNaud28hme+bX1ROuhlq3LSQWYa43G9083RgHXh/ HSWECgdIrst0b/8F/ggzCitlyB8so9m/DPwtyk21v8oTH5BeLcQAKj18gmmiPgem IWeFOnC/uSJfl8O+Ostml7TqAMuY2xElgpibdiBqoyMvR71J50vYCH8ro3DJ65nT dRuKcXL/kkuoZfVV8VWm8hbQaLqWVmd3u2Jjj4iYbyJySLzvXP3cB2gaSBwzy0YS oN3ID5X+3X+yR/fzOeEiTuw/AXU6qCG6vjpa7zleunUi+uWmiMWOmirp7+vtg8k= =WxC9 -----END PGP SIGNATURE----- --bkOl5SUsNoSj6wRttNbb8oxOrmmfLWTCf-- From owner-freebsd-security@freebsd.org Wed Nov 11 16:18:56 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08091A2CE2B; Wed, 11 Nov 2015 16:18:56 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.21.123]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smtp-sofia.digsys.bg", Issuer "Digital Systems Operational CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E21A12FC; Wed, 11 Nov 2015 16:18:54 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from [193.68.6.100] ([193.68.6.100]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.9/8.14.9) with ESMTP id tABFnqWN067183 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Nov 2015 17:49:53 +0200 (EET) (envelope-from daniel@digsys.bg) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Subject: Re: OpenSSH HPN From: Daniel Kalchev In-Reply-To: Date: Wed, 11 Nov 2015 17:49:52 +0200 Cc: John-Mark Gurney , Ben Woods , Bryan Drewery , =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> To: Jason Birch X-Mailer: Apple Mail (2.3096.5) X-Mailman-Approved-At: Wed, 11 Nov 2015 17:14:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:18:56 -0000 It is my understanding, that using the NONE cypher is not identical to = using =E2=80=9Cthe old tools=E2=80=9D (rsh/rlogin/rcp). When ssh uses the NONE cypher, credentials and authorization are still = encrypted and verified. Only the actual data payload is not encrypted. Perhaps similar level of security could be achieved by =E2=80=9Cthe old = tools=E2=80=9D if they were by default compiled with Kerberos. Although, = this still requires building additional infrastructure. I must have missed the explanation. But why having a NONE cypher = compiled in, but disabled in the configuration is a bad idea? Daniel > On 11.11.2015 =D0=B3., at 10:55, Jason Birch = wrote: >=20 > On Wed, Nov 11, 2015 at 6:59 PM, John-Mark Gurney = wrote: >> If you have a trusted network, why not just use nc? >=20 > Perhaps more generally relevant is that ssh/scp are *waves hands* = vaguely > analogous to secure versions of rsh/rlogin/rcp. I'd think that most = cases > of "I wanted to send files and invoke some commands on a remote = machine, > and due to $CIRCUMSTANCE I don't need or desire encryption" are = covered > by the older, also standard tools. Additionally, rsync can use rsh as = its > transport, for users who desire more advanced behaviour. ssh just = seems > to have more support; Installation will ask you if you'd like to run = sshd > (not rshd), ssh is rather ubiquitous as a way of "doing a thing = remotely" > (even in Windows soon!), etc. This is a good default to have; the > overhead of security is tiny in nearly all cases. >=20 > It would seem then that the extra complexity of maintenance = development > in supporting NONE in base doesn't really grant us any additional > functionality in most cases. It's just more 'obvious'. > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Wed Nov 11 16:37:15 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22611A2C481; Wed, 11 Nov 2015 16:37:15 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 07BA31883; Wed, 11 Nov 2015 16:37:15 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id F2C4B10B2; Wed, 11 Nov 2015 16:37:14 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id BE08E12035; Wed, 11 Nov 2015 16:37:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id TjT55bmEovCv; Wed, 11 Nov 2015 16:37:08 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 5E35612028 To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , Ben Woods References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <86fv0c9aaj.fsf@desk.des.no> Cc: John-Mark Gurney , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <56436EB4.3030007@FreeBSD.org> Date: Wed, 11 Nov 2015 08:37:08 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86fv0c9aaj.fsf@desk.des.no> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="04X1MhsSATLhNtSM4KdUiIq9XHhbXa9fT" X-Mailman-Approved-At: Wed, 11 Nov 2015 17:14:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:37:15 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --04X1MhsSATLhNtSM4KdUiIq9XHhbXa9fT Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/11/2015 1:04 AM, Dag-Erling Sm=C3=B8rgrav wrote: > Ben Woods writes: >> Personally I have used it at home to backup my old FreeBSD server >> (which does not have AESNI) over a dedicated network connection to a >> backup server using rsync/ssh. Since it was not possible for anyone >> else to be on that local network, and the server was so old it didn't >> have AESNI and would soon be retired, using the NONE cipher sped up >> the transfer significantly. >=20 > In that scenario, you don't need ssh at all. Just set up rsyncd on the= > backup server. >=20 Yes, it's more a matter of convenience with key management. I admit that after some recent changes I've made I did resort to using the base SSH and rsync:// to achieve my backups over VPN out of not wanting to customize the the new system further with the port version or rebuilding base. --=20 Regards, Bryan Drewery --04X1MhsSATLhNtSM4KdUiIq9XHhbXa9fT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWQ260AAoJEDXXcbtuRpfPxd8H/iX12E3SfNKxDc9gxEuNKGMO XxEwFPV0eYldvvPvDXUwcYkZXr0b94Ix5oAmPGFLmkLBxC+JbJQxCJVEGWM/rlB0 5mi7n2h6mRs9uag1pmZqiWOUhtyjS2TkRY9k4xZdZzrT+MgAImciSN9CVYZyqYHn 948DV+9SWdbVWR+T7FzpsQHl47Hn6yHBFTNChtQPYV/LOIlwNcMJ8UXqbrhI09Bi uss5NMr3HdYpM6Rjah9OmWEKBctpBQ4Rt9cuK2F+t+x8qKoAhq7V4YWLTG1M573H 2wlpjkH4NPpMSMPe/Vbqwv7DOZp/mE4RQ3o3f9XrfNljxdtjNbKF5I+fdKl0vaI= =NqHM -----END PGP SIGNATURE----- --04X1MhsSATLhNtSM4KdUiIq9XHhbXa9fT-- From owner-freebsd-security@freebsd.org Wed Nov 11 16:53:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42E36A2C019; Wed, 11 Nov 2015 16:53:45 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 29BE8116F; Wed, 11 Nov 2015 16:53:45 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 232751C2A; Wed, 11 Nov 2015 16:53:45 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id E969012215; Wed, 11 Nov 2015 16:53:44 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id rNMyYclWtSQC; Wed, 11 Nov 2015 16:53:42 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 875EA1220E To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <56437296.9000709@FreeBSD.org> Date: Wed, 11 Nov 2015 08:53:42 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86r3jwfpiq.fsf@desk.des.no> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2CQSatrtPOPiMFqQp9IUI1UtmOFsHs3fa" X-Mailman-Approved-At: Wed, 11 Nov 2015 17:14:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:53:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2CQSatrtPOPiMFqQp9IUI1UtmOFsHs3fa Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/11/2015 8:51 AM, Dag-Erling Sm=C3=B8rgrav wrote: > Bryan Drewery writes: >> Another thing that I did with the port was restore the tcpwrapper >> support that upstream removed. Again, if we decide it is not worth >> keeping in base I will remove it as default in the port. >=20 > I want to keep tcpwrapper support - it is another reason why I still > haven't upgraded OpenSSH, but to the best of my knowledge, it is far > less intrusive than HPN. >=20 Yes, it's very small. /usr/ports/security/openssh-portable/files/extra-patch-tcpwrappers --=20 Regards, Bryan Drewery --2CQSatrtPOPiMFqQp9IUI1UtmOFsHs3fa Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWQ3KWAAoJEDXXcbtuRpfPjuQIAOH7lQQNVQnJncQAnU4atnQj FNhVFqPF5YCb/j596/9PZsCZUF96NSZtPtp16DmDrv2U5DkUmk4ff3j3Ws/Wc5Ua htDBU9z3+9lFmu9n5fymMhUDe885uvIxAC3V0tBInHSAgOD/PETdKz2v4aWuqh0p hWlO9oTO5lKLn9JCApVn2/IZNOhY0zKWCuRpPGlVehulqyeMx0X/2crOdHPrv2eT BhiVlaCAjlI7fO0wVKuoQlfTF18usIzZrFm0PlHGvCmrkO54XOZqhp7tqZv7AYcn B3FnvwV2GqDstYllOL6dRAIsVhqyDmN2xuvbqcY+i+54QB6LMiwz3ZkzallJgIM= =XqpT -----END PGP SIGNATURE----- --2CQSatrtPOPiMFqQp9IUI1UtmOFsHs3fa-- From owner-freebsd-security@freebsd.org Wed Nov 11 16:36:00 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DF44A2C3C1; Wed, 11 Nov 2015 16:36:00 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 52C8D15A5; Wed, 11 Nov 2015 16:36:00 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 4C4551F93; Wed, 11 Nov 2015 16:36:00 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id E168212011; Wed, 11 Nov 2015 16:35:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id PsDNPLK7wvIA; Wed, 11 Nov 2015 16:35:57 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 9B3381200C References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> Cc: "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <56436E63.6040602@FreeBSD.org> Date: Wed, 11 Nov 2015 08:35:47 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0NftXeGS1e7L1mSFECsQOT4qGKO5al7wb" X-Mailman-Approved-At: Wed, 11 Nov 2015 17:14:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 16:36:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0NftXeGS1e7L1mSFECsQOT4qGKO5al7wb Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/11/2015 7:49 AM, Daniel Kalchev wrote: > It is my understanding, that using the NONE cypher is not identical to = using =E2=80=9Cthe old tools=E2=80=9D (rsh/rlogin/rcp). >=20 > When ssh uses the NONE cypher, credentials and authorization are still = encrypted and verified. Only the actual data payload is not encrypted. >=20 > Perhaps similar level of security could be achieved by =E2=80=9Cthe old= tools=E2=80=9D if they were by default compiled with Kerberos. Although,= this still requires building additional infrastructure. >=20 > I must have missed the explanation. But why having a NONE cypher compil= ed in, but disabled in the configuration is a bad idea? My reasoning for wanting SSH/SCP with NONE is precisely because of the ssh key support. It simplifies a lot to be able to use the same key over a VPN and not over the VPN to connect to the same system. --=20 Regards, Bryan Drewery --0NftXeGS1e7L1mSFECsQOT4qGKO5al7wb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWQ25oAAoJEDXXcbtuRpfPdg8IALC3wjzLDfdF13s1E3/RHhOm WkfcX1LSeY3LaaODM3nJKh7eTBNzHNAGn0SHzF+2rvghFXNPKAuaFLrl1sIAlC2Y b/5HPnAay3Y4Iy7NPbtnRz7uKPzmNt5okN5Wa604UshiUWvh72HV6IbJtBHGSiJt J/gnhqac1NN4zhMaW4YQB6MsVZB9qgCHY4Q43RQId02aEJyy7LcULf/vSFSKjFxa P2xBJZ465nnUYsxY1dQ2ZKQMIQkxRwoxtJE6VOjU06EQT3JlhubKSMKuzjUjHlr8 rke47xBbuaiqHlncaMn5ITXRpOUZpYeXZao+1aNfsjHzxFaat0cY1W2M1dYWfQw= =FB2X -----END PGP SIGNATURE----- --0NftXeGS1e7L1mSFECsQOT4qGKO5al7wb-- From owner-freebsd-security@freebsd.org Wed Nov 11 17:53:56 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49191A2C669; Wed, 11 Nov 2015 17:53:56 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3A13314C3; Wed, 11 Nov 2015 17:53:55 +0000 (UTC) (envelope-from marquis@roble.com) Date: Wed, 11 Nov 2015 09:52:49 -0800 (PST) From: Roger Marquis To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= cc: Bryan Drewery , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN In-Reply-To: <86r3jwfpiq.fsf@desk.des.no> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 17:53:56 -0000 On Wed, 11 Nov 2015, Dag-Erling Sm?rgrav wrote: > I want to keep tcpwrapper support - it is another reason why I still > haven't upgraded OpenSSH, but to the best of my knowledge, it is far > less intrusive than HPN. There's also inetd's tcpwrapper support if you call sshd from inetd for D/DOS protection. Inetd and its rate-limiting flags are strongly recommended for security-minded systems. Starting sshd from rc.d should never have been made the default, IMO, as keygen delays are rarely relevant and weren't even back in the days of 300MHz CPUs (18 years ago). The only reason inetd is not more widely used today is that many sysadmins aren't familiar with it. Roger Marquis From owner-freebsd-security@freebsd.org Wed Nov 11 18:13:43 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBDECA2CD34; Wed, 11 Nov 2015 18:13:43 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 90BD314C8; Wed, 11 Nov 2015 18:13:43 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZwZtr-00059f-6x; Wed, 11 Nov 2015 21:13:39 +0300 Date: Wed, 11 Nov 2015 21:13:39 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: Bryan Drewery , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151111181339.GE48728@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86r3jwfpiq.fsf@desk.des.no> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 18:13:44 -0000 On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: > Bryan Drewery writes: > > Another thing that I did with the port was restore the tcpwrapper > > support that upstream removed. Again, if we decide it is not worth > > keeping in base I will remove it as default in the port. > > I want to keep tcpwrapper support - it is another reason why I still > haven't upgraded OpenSSH, but to the best of my knowledge, it is far > less intrusive than HPN. Can you explain what is problem? I am see openssh in base and openssh in ports (more recent version) with same functionaly patches. You talk about trouble to upgrade. What is root? openssh in base have different vendor and/or license? Or something else? PS: As I today know, kerberos heimdal is practicaly dead as opensource project. Have FreeBSD planed switch to MIT Kerberos? I am know about security/krb5. From owner-freebsd-security@freebsd.org Wed Nov 11 18:18:37 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A91BA2CEFC; Wed, 11 Nov 2015 18:18:37 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 103B21A8A; Wed, 11 Nov 2015 18:18:36 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 082C92DC4; Wed, 11 Nov 2015 18:18:33 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id D59D73FA01; Wed, 11 Nov 2015 19:18:31 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Slawa Olhovchenkov Cc: Bryan Drewery , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> Date: Wed, 11 Nov 2015 19:18:31 +0100 In-Reply-To: <20151111181339.GE48728@zxy.spb.ru> (Slawa Olhovchenkov's message of "Wed, 11 Nov 2015 21:13:39 +0300") Message-ID: <86io58flhk.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 18:18:37 -0000 Slawa Olhovchenkov writes: > Can you explain what is problem? Radical suggestion: read the first email in the thread. > PS: As I today know, kerberos heimdal is practicaly dead as opensource > project. Have FreeBSD planed switch to MIT Kerberos? I am know about > security/krb5. We switched from MIT to Heimdal at some point in the past for some reason I don't remember. MIT and Heimdal are *not* interchangeable at the source or binary level, so switching back is not trivial. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Nov 11 18:44:51 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E19CA2C50E; Wed, 11 Nov 2015 18:44:51 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E6BEE1AD7; Wed, 11 Nov 2015 18:44:50 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZwaO0-0005oC-Pk; Wed, 11 Nov 2015 21:44:48 +0300 Date: Wed, 11 Nov 2015 21:44:48 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: Bryan Drewery , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151111184448.GR31314@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <86io58flhk.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86io58flhk.fsf@desk.des.no> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 18:44:51 -0000 On Wed, Nov 11, 2015 at 07:18:31PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: > > Can you explain what is problem? > > Radical suggestion: read the first email in the thread. I am read and don't understund (you talk about trouble of maintaining the HPN patches). I see patched version in ports. This version maintaining. What is problem? Differnt openssh? Quality of patches? Different branches? ports branch is worse (by some reaason) base branch? > > PS: As I today know, kerberos heimdal is practicaly dead as opensource > > project. Have FreeBSD planed switch to MIT Kerberos? I am know about > > security/krb5. > > We switched from MIT to Heimdal at some point in the past for some > reason I don't remember. MIT and Heimdal are *not* interchangeable at I think because MIT stop development in the past. > the source or binary level, so switching back is not trivial. I am know about this. From owner-freebsd-security@freebsd.org Wed Nov 11 19:22:43 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 234B2A2B185 for ; Wed, 11 Nov 2015 19:22:43 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D24E510A9 for ; Wed, 11 Nov 2015 19:22:42 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id tABJMNGe007892 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Nov 2015 11:22:23 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id tABJMMCK007891; Wed, 11 Nov 2015 11:22:22 -0800 (PST) (envelope-from jmg) Date: Wed, 11 Nov 2015 11:22:22 -0800 From: John-Mark Gurney To: Daniel Kalchev Cc: Jason Birch , Ben Woods , Bryan Drewery , Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" Subject: Re: OpenSSH HPN Message-ID: <20151111192221.GS65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Wed, 11 Nov 2015 11:22:23 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 19:22:43 -0000 Daniel Kalchev wrote this message on Wed, Nov 11, 2015 at 17:49 +0200: > It is my understanding, that using the NONE cypher is not identical to using ???the old tools??? (rsh/rlogin/rcp). > > When ssh uses the NONE cypher, credentials and authorization are still encrypted and verified. Only the actual data payload is not encrypted. Except the point is that you ALREADY trust your network, so you don't need to encrypt the credentials and authorizations, otherwise, why are you running unencrypted payloads? In fact, if you aren't running at least a MAC, or a final verify, and you're transfering large amounts of data (multiple gigabytes), the data can and will likely be corrupted... See: http://noahdavids.org/self_published/CRC_and_checksum.html Having not used the NONE cipher, I don't know if the MAC is also removed or not... Either way, the MAC is still the long poll when it comes to encryption w/ AES-NI... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Wed Nov 11 19:25:06 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9736DA2B273; Wed, 11 Nov 2015 19:25:06 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 576501259; Wed, 11 Nov 2015 19:25:05 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id tABJP3SG007949 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Nov 2015 11:25:03 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id tABJP34S007948; Wed, 11 Nov 2015 11:25:03 -0800 (PST) (envelope-from jmg) Date: Wed, 11 Nov 2015 11:25:03 -0800 From: John-Mark Gurney To: Ben Woods Cc: Bryan Drewery , Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" Subject: Re: OpenSSH HPN Message-ID: <20151111192503.GT65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Wed, 11 Nov 2015 11:25:03 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 19:25:06 -0000 Ben Woods wrote this message on Wed, Nov 11, 2015 at 16:27 +0800: > On Wednesday, 11 November 2015, John-Mark Gurney wrote: > > > Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > > > I have to agree that there are cases when the NONE cipher makes sense, > > and > > > it is up to the end user to make sure they know what they are doing. > > > > > > Personally I have used it at home to backup my old FreeBSD server (which > > > does not have AESNI) over a dedicated network connection to a backup > > server > > > using rsync/ssh. Since it was not possible for anyone else to be on that > > > local network, and the server was so old it didn't have AESNI and would > > > soon be retired, using the NONE cipher sped up the transfer > > significantly. > > > > If you have a trusted network, why not just use nc? > > Honest answer: ignorance of how I can use netcat together with rsync. A quick google of rsync nc, turned up method 2 & 4 from: https://rsync.samba.org/firewall.html -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Wed Nov 11 19:28:08 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1255CA2B3C4; Wed, 11 Nov 2015 19:28:08 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D07A3152F; Wed, 11 Nov 2015 19:28:07 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 51AF15A9F12; Wed, 11 Nov 2015 19:28:06 +0000 (UTC) Date: Wed, 11 Nov 2015 19:28:06 +0000 From: Brooks Davis To: Bryan Drewery Cc: Dag-Erling Sm??rgrav , freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151111192806.GB44561@spindle.one-eyed-alien.net> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZfOjI3PrQbgiZnxM" Content-Disposition: inline In-Reply-To: <56428E8A.3090201@FreeBSD.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 19:28:08 -0000 --ZfOjI3PrQbgiZnxM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 10, 2015 at 04:40:42PM -0800, Bryan Drewery wrote: > On 11/10/15 1:42 AM, Dag-Erling Sm??rgrav wrote: > > Some of you may have noticed that OpenSSH in base is lagging far behind > > the upstream code. > >=20 > > The main reason for this is the burden of maintaining the HPN patches. > > They are extensive, very intrusive, and touch parts of the OpenSSH code > > that change significantly in every release. Since they are not > > regularly updated, I have to choose between trying to resolve the > > conflicts myself (hoping I don't break anything) or waiting for them to > > catch up and then figuring out how to apply the new version. > >=20 > > Therefore, I would like to remove the HPN patches from base and refer > > anyone who really needs them to the openssh-portable port, which has > > them as a default option. I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). >=20 > I had this same problem as well, but have since reworked the HPN patch > for ports to be more easily maintained. I've considered offering or > just updating the base SSH, but have not since we have random changes in > the HPN functionality in base that would be lost. We for some reason > decided we were going to maintain our own version and not even upstream > the changes to the HPN authors which has contributed to this situation. We had ever intention of upstreaming our cleaned up HPN patches and some interest from OpenSSH devs to take the window scaling portion of the =20 patch upstream, but other things intruded and we never found time to=20 complete that work. I think both the window scaling and NONE cipher changes are useful, but do not have time to do anything with them. I'm=20 fine with them being removed from base and replaced or just dropped if they are in the way of progress. -- Brooks --ZfOjI3PrQbgiZnxM Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWQ5bFAAoJEKzQXbSebgfAUWUH/jEEMpOsB4bNqGEbu3AUNNzL +jlp+3vTQvTEqL7uuW4t9n9qK1L34mvHtKRD9MI4IIpUi+6kqhryOlX04TqmDk/+ ouoh//8S3zOO31X5UiQTWZ85mYayvYvKyNiiBUzE9GJftrjKzKpmNtHw5gFg+Vcz r5r7MkGEnoz/E4bGhGeg0vqYmTKmthmFdXE39jngoCzfsKWD0HjGkE8gj/sid1Cc X25HfDc/8S65TM+Tew8irlFlzuDxwx8JlogB9QtP5N8ShqtlvABXPtw9sRB/IED6 phpyOAa2OnwMUhLbMoEzUSixRRBRBZHcbNVY6o3db0EyqhwbJx8oc3f3CRc0pRQ= =iMIl -----END PGP SIGNATURE----- --ZfOjI3PrQbgiZnxM-- From owner-freebsd-security@freebsd.org Wed Nov 11 18:18:11 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABDD1A2CE97; Wed, 11 Nov 2015 18:18:11 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8F2801974; Wed, 11 Nov 2015 18:18:11 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 893781DC1; Wed, 11 Nov 2015 18:18:11 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 423FE126AA; Wed, 11 Nov 2015 18:18:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id b7dVi24Xhz6I; Wed, 11 Nov 2015 18:18:08 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 3F97D126A4 To: Slawa Olhovchenkov , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <56438660.5010508@FreeBSD.org> Date: Wed, 11 Nov 2015 10:18:08 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151111181339.GE48728@zxy.spb.ru> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="j39IxGt45jTNP1FSeKp3ncUsHHbfisRX5" X-Mailman-Approved-At: Wed, 11 Nov 2015 20:03:10 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 18:18:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --j39IxGt45jTNP1FSeKp3ncUsHHbfisRX5 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Sm=C3=B8rgrav wrot= e: >=20 >> Bryan Drewery writes: >>> Another thing that I did with the port was restore the tcpwrapper >>> support that upstream removed. Again, if we decide it is not worth >>> keeping in base I will remove it as default in the port. >> >> I want to keep tcpwrapper support - it is another reason why I still >> haven't upgraded OpenSSH, but to the best of my knowledge, it is far >> less intrusive than HPN. >=20 > Can you explain what is problem? > I am see openssh in base and openssh in ports (more recent version) > with same functionaly patches. > You talk about trouble to upgrade. What is root? > openssh in base have different vendor and/or license? > Or something else? >=20 > PS: As I today know, kerberos heimdal is practicaly dead as opensource > project. Have FreeBSD planed switch to MIT Kerberos? > I am know about security/krb5. >=20 IMHO the problem comes down to time. Patching an upstream project increases maintenance cost for upgrading it. Every patch adds up. When you become busy and don't have time to pay attention to every little change made in a release, hearing 'removed tcpwrappers support' or 'refactored the code for libssh usage' makes it sound like 1 more thing you must deal with to upgrade that code base and more effort to validate that your patches are right. We obviously don't want to just drop in the latest code and throw it out there as broken. SSH is quite critical and we want to ensure our changes are still right, and that doing something like adding tcpwrappers back in won't introduce some security bug that upstream was coy about. --=20 Regards, Bryan Drewery --j39IxGt45jTNP1FSeKp3ncUsHHbfisRX5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWQ4ZgAAoJEDXXcbtuRpfPTYgH/1eO6vEKoEcXft9AiFNnCq1o VIa1laqZKZSmQiinwLYmt+eqbYBmgR4BW8YoWwUlPbIUT1A0xBQTPbl4BJN0nP29 eFwKtHebDV7Q86vHChT7HRzZA2PAjHc9cdSXg4PKAOpQ/pNJF0ywQFlb6ypeTRMa hEvlSEn0wsSf4kJ7oiebwWQlP19C4VSkVA1UN2oCL5U6GS1RedgR8NosQ1NE4Pqd rGAXlQKc5+aArKvZnnTa3xqizMRoKuoj8N7r6nkZbfXGRsIDUI2Su5br1MejlRnm UnfcHt+1icoMoJ6yu9T5azl1xignuOpNgJ7IRxonukD2xj0htzU+tbfUOu9IjXk= =T1Q8 -----END PGP SIGNATURE----- --j39IxGt45jTNP1FSeKp3ncUsHHbfisRX5-- From owner-freebsd-security@freebsd.org Wed Nov 11 21:32:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23FACA2C18E; Wed, 11 Nov 2015 21:32:31 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 0E1E915B9; Wed, 11 Nov 2015 21:32:31 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 063F3179A; Wed, 11 Nov 2015 21:32:31 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id B7FF312AE9; Wed, 11 Nov 2015 21:32:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id siI7bbp4dq74; Wed, 11 Nov 2015 21:32:28 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 06EE912AE3 To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org References: <86io5a9ome.fsf@desk.des.no> From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <5643B3EB.1040002@FreeBSD.org> Date: Wed, 11 Nov 2015 13:32:27 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86io5a9ome.fsf@desk.des.no> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PLQESROdcmf1hiLuxprlk9rwgU5HFjvIO" X-Mailman-Approved-At: Wed, 11 Nov 2015 21:45:59 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 21:32:31 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PLQESROdcmf1hiLuxprlk9rwgU5HFjvIO Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/10/2015 1:42 AM, Dag-Erling Sm=C3=B8rgrav wrote: > I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like i= n > base). Fun fact, it's been broken in the port for several months with no complaints. It was just reported and fixed upstream in the last day and I wrote in a similar fix in the port. That speaks a lot about its usage in the port currently. --=20 Regards, Bryan Drewery --PLQESROdcmf1hiLuxprlk9rwgU5HFjvIO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWQ7PrAAoJEDXXcbtuRpfP/yQH/jr2AHq0W20wECoHpaVFZ3Ar Bd/jNqCA4rjjJfzE76/j/aGSOyXCdecMWSUbu0VkEkTyYSAx4vXUO/mibS3S/Y+g Mp6fRKQnyMzT3P2Us6I9k6Fz3h8xYahOU3wYK+k//1SpiHF0R0gZ8dFNGycgu70y oBMgX0lT4wOxmYJcONppC/WC+AduGFY5FNAbDUBJHaFUlt/OzrS14staOaViLOc4 jfoSvh4/652qvkfTieVsGz95HwSLGGATvJEmNzO41LFj755uA5roZIoZxz90ezID 5ZgyE+++kfA3XaepYXZ2e3so2yoRJB4cTDw2lqUULOnRgMZpsPDiZgRHKSEY3cU= =+f4w -----END PGP SIGNATURE----- --PLQESROdcmf1hiLuxprlk9rwgU5HFjvIO-- From owner-freebsd-security@freebsd.org Wed Nov 11 22:29:23 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C7ECA2CE69 for ; Wed, 11 Nov 2015 22:29:23 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-qg0-x22c.google.com (mail-qg0-x22c.google.com [IPv6:2607:f8b0:400d:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EF4C81333 for ; Wed, 11 Nov 2015 22:29:22 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by qgea14 with SMTP id a14so35004176qge.0 for ; Wed, 11 Nov 2015 14:29:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=8XF8wvq6WYGViLGeKQeCsCaIK8xSYMmC2Lfi9EqpCwk=; b=muX/Y9ossqcBLs7Q7lvhy07QOVr5s5KWOntY8poe8qTTSJHd+pZe262G352sVUAlqe yf5ec77ktnrutq5Cnpt7wFw6bXeNnlvEmi7JnD72gJgpKj28i7c4PL1TpiB6dki0OjTG +87s/meld4G0irfqaBmOjAvWzyywf/2DpPnq5BPFMoQf3+CxOgnWazusYbkYCR2y/0Os tx8JMd+lFDCpjMBorJ+Y53xso7cXrm8xSXWLf72mQDT4ZQG2UhxS1Gh0GmWUfbadyw96 Uj6C7RRqVVwVSdN+PwTWZ0Viqrpb4YSS35VaZq41wx/IfJP/AAaEFut0wbDrvSUPeMZc MhZA== MIME-Version: 1.0 X-Received: by 10.140.94.201 with SMTP id g67mr13336255qge.43.1447280961689; Wed, 11 Nov 2015 14:29:21 -0800 (PST) Received: by 10.140.32.75 with HTTP; Wed, 11 Nov 2015 14:29:21 -0800 (PST) In-Reply-To: <20151111014102.GQ65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111014102.GQ65715@funkthat.com> Date: Wed, 11 Nov 2015 17:29:21 -0500 Message-ID: Subject: Re: OpenSSH HPN From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 22:29:23 -0000 I don't think there is such a thing as a trusted network. That is a unicorn these days. If you are using ssh to connect to the VPN server itself over the VPN connection, I can see why that would be useless double encryption. However, if you are connecting to a server on the network on the other side of the VPN, I would still use ssh. No networks should be considered trusted. Here is a great article about Beyond Corp, a Google project based on the idea that trusted networks do not exist in reality, and that systems need to be built with this in mind. https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf On Tue, Nov 10, 2015 at 8:41 PM, John-Mark Gurney wrote: > Bryan Drewery wrote this message on Tue, Nov 10, 2015 at 16:32 -0800: > > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > > My vote is to remove the HPN patches. First, the NONE cipher made more > > > sense back when we didn't have AES-NI widely available, and you were > > > seriously limited by it's performance. Now we have both aes-gcm and > > > chacha-poly which it's performance should be more than acceptable for > > > today's uses (i.e. cipher performance is 2GB/sec+). > > > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > > for me. > > Different layers of protection... > > Do you disable all encryption when you're transiting trusted networks > like your VPN? If you don't, why is that ssh session so special? > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Wed Nov 11 23:33:26 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3389DA2CF96; Wed, 11 Nov 2015 23:33:26 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F9A71948; Wed, 11 Nov 2015 23:33:24 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074423-f797f6d0000023d0-04-5643cf0fb423 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 9F.F9.09168.F0FC3465; Wed, 11 Nov 2015 18:28:15 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id tABNSERP010994; Wed, 11 Nov 2015 18:28:14 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tABNSAqx029612 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Nov 2015 18:28:13 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id tABNSAPh027634; Wed, 11 Nov 2015 18:28:10 -0500 (EST) Date: Wed, 11 Nov 2015 18:28:10 -0500 (EST) From: Benjamin Kaduk To: Daniel Kalchev cc: "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" Subject: kereros telnet/rlogin/etc. (was Re: OpenSSH HPN) In-Reply-To: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> Message-ID: References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupkleLIzCtJLcpLzFFi42IRYrdT1+U/7xxmcPIpr8XVDwcYLea8+cBk 0bPpCZsDs8el5X9YPGZ8ms8SwBTFZZOSmpNZllqkb5fAlfFw/Qa2glVcFY/fyzYw7ufoYuTk kBAwkTjwdQozhC0mceHeerYuRi4OIYHFTBInvp1ggXA2Mkq8f9LOCuEcYpJYd2kiO4TTwCjx qf0eC0g/i4C2xPKJ19hBbDYBFYmZbzaygdgiAqoSl46eBetmFmhnlJi3dRYjSEJYwFJi85dl YDangK3E94YmsEN4BRwltr2ZANYsJHCBSeLrcX8QW1RAR2L1/iksEDWCEidnPgGyOYCGBkrc OmU4gVFwFpLMLIQMSJhZQF2i8cFZNghbW+L+zTa2BYwsqxhlU3KrdHMTM3OKU5N1i5MT8/JS i3TN9HIzS/RSU0o3MYJD3EV5B+Ofg0qHGAU4GJV4eCfMdA4TYk0sK67MPcQoycGkJMorfwIo xJeUn1KZkVicEV9UmpNafIhRgoNZSYQ3YB5QjjclsbIqtSgfJiXNwaIkzrvpB1+IkEB6Yklq dmpqQWoRTFaGg0NJgvfSWaBGwaLU9NSKtMycEoQ0EwcnyHAeoOHS50CGFxck5hZnpkPkTzEq SonzHgZpFgBJZJTmwfWCU9BuJtVXjOJArwjzvgSp4gGmL7juV0CDmYAGf5FwAhlckoiQkmpg lGOb+mbnthcs86Xn3BGWu+//+ubnfI+uSV+6td9s6lBddy9Vp7r34v99Nyau3vk3sF7vzQ4G Lgfx/2s9Wk9wSLg2evQbOIq7xuSGyIlM+P9y/0u5hh33pymbqNpPebpBNsPG8Mba86XbKh0d Xl9kyfZocF91ZYP+t/cT6/59bY7m/cF4mP3YBSWW4oxEQy3mouJEAJV7fRocAwAA Content-Type: TEXT/PLAIN; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 23:33:26 -0000 On Wed, 11 Nov 2015, Daniel Kalchev wrote: > > Perhaps similar level of security could be achieved by =E2=80=9Cthe old t= ools=E2=80=9D > if they were by default compiled with Kerberos. Although, this still > requires building additional infrastructure. The kerberized versions of the old tools are basically unsupported upstream at this point. Telnet is actively insecure, being limited to single-DES; rlogin may be somewhat better but it's still not looking very good. ssh is better because it speaks GSS-API instead of raw kerberos, and can thus keeps up with newer crypto automatically. When I was working at MIT, I considered making a final release of the krb5-appl distribution, so as to include in the release announcement that they were not going to be supported further, but could not even bring myself to do that. They are not in Debian anymore, and I expect them to dwindle from other distributions, too. Let the "old tools" grow old and retire. -Ben From owner-freebsd-security@freebsd.org Wed Nov 11 23:48:36 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50545A2C3B9 for ; Wed, 11 Nov 2015 23:48:36 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DB40B10FA for ; Wed, 11 Nov 2015 23:48:35 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: by wmdw130 with SMTP id w130so133195231wmd.0 for ; Wed, 11 Nov 2015 15:48:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hobbiton_org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=0tuAvlkZYjOvtSv/6UaY636uzA2vY6XgvZ/LF3w2LI0=; b=rLwF1PUBUUMCATxsQhftQUKKlwk7TzrdCh+wWL1We2/i/jF/ISm3wjDNYCzn87xpiV i1+iSUDak3vvJWbfyjq3CtftI9BXkgS9VFeaidnX92Oc6n88pZeTD6/LQzKDYAB62VSh ra74MdayLYWVvmuGTlO8lmReKQYk0cAFeJZDLkfQX6ANF4bm+GL4SKD7dhcrg2k01Nps QHi/gLbuxLSbKJC0QvVafBIc3gTFFT5nbxXeCRzTQ2tYaJ+buI1aJRf71UJU6ffiwSiE 8ZtayXMFFOts6RdA+OlHEQMdQVHOf1nuXDZr9w4gTNmeHcf/LVfjQ/p46HYZtzSyfSKd GUAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=0tuAvlkZYjOvtSv/6UaY636uzA2vY6XgvZ/LF3w2LI0=; b=EeXPcoaJbfZghkzhOO77ZCB+naXbvudEl1GLmsQDNIk/dYO4ohlMkWz81jF9hxncjB x6s/cXyjcStvOt0h72XqIDlj/gXBXFlQsA/4m3RqWMgQCaEMU4eW4oLqlFODxd1Cm3rV rSRW7EE3NZIB0P3kS/IZO0/qN4/7M3hU9I6+2BvLYqyK0shWrbYLXUiK31i+8k1V71YO 1Wi4PkGiK8ozTz3oWPw77DPwuCieawmgDEuRAcmVULsrJ1PMPH0iHNK5byvViUNcDb7b yL+Nm90OLrDBY3Qn4YDtxD3/f7IKBcdhJHex8NERap5O/PictHvvoeYocOZO3guj0zeS q+lg== X-Gm-Message-State: ALoCoQlNRojcCeBj6iuhgJvGGhtaKHIgKuUrff+onAKAlO21EU4WbRPdngUDmXmkY7FRbwRiBW7U X-Received: by 10.28.137.211 with SMTP id l202mr14487997wmd.90.1447285714028; Wed, 11 Nov 2015 15:48:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.100.134 with HTTP; Wed, 11 Nov 2015 15:47:54 -0800 (PST) X-Originating-IP: [96.3.203.123] In-Reply-To: References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111014102.GQ65715@funkthat.com> From: Leif Pedersen Date: Wed, 11 Nov 2015 17:47:54 -0600 Message-ID: Subject: Re: OpenSSH HPN To: Robert Simmons Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 23:48:36 -0000 On Wed, Nov 11, 2015 at 4:29 PM, Robert Simmons wrote: > I don't think there is such a thing as a trusted network. That is a unicorn > these days. > > No networks should be considered trusted. > oh baloney. That's just a clever way to say you want to stop thinking about trust. If I've connected two machines directly, that network is more trustworthy than any encryption. This is not rare, but typical for system recovery, which is where nc and ssh with the none cipher are highly useful. It's also not a bridge too far to claim a network is trusted when it has 1000 computers on a special-purpose processing network with access only allowed by the admins that built it, and perhaps an API. In those networks, the nodes work together like storage and CPUs work together in a single computer. The only difference is that SATA disks and x86 CPUs are replaced by general-purpose computers running Cassandra and Nginx, connected by ethernet, so that you can connect thousands together instead of dozens. Do you always insist on encryption on your SATA cables and memory buses? That sort of special-purpose network is not rare either; rather it's typical for internet services where the load is beyond what a single machine can handle, or clusters that run models that are too large for a single machine. Trustworthy networks do exist. They just aren't the same networks as 20 years ago. -- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig From owner-freebsd-security@freebsd.org Wed Nov 11 23:56:10 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36F48A2C5FD; Wed, 11 Nov 2015 23:56:10 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E5FC71648; Wed, 11 Nov 2015 23:56:09 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZwfFG-000Bqg-FP; Thu, 12 Nov 2015 02:56:06 +0300 Date: Thu, 12 Nov 2015 02:56:06 +0300 From: Slawa Olhovchenkov To: Bryan Drewery Cc: Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151111235606.GF48728@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <56438660.5010508@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <56438660.5010508@FreeBSD.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 23:56:10 -0000 On Wed, Nov 11, 2015 at 10:18:08AM -0800, Bryan Drewery wrote: > On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: > > On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: > > > >> Bryan Drewery writes: > >>> Another thing that I did with the port was restore the tcpwrapper > >>> support that upstream removed. Again, if we decide it is not worth > >>> keeping in base I will remove it as default in the port. > >> > >> I want to keep tcpwrapper support - it is another reason why I still > >> haven't upgraded OpenSSH, but to the best of my knowledge, it is far > >> less intrusive than HPN. > > > > Can you explain what is problem? > > I am see openssh in base and openssh in ports (more recent version) > > with same functionaly patches. > > You talk about trouble to upgrade. What is root? > > openssh in base have different vendor and/or license? > > Or something else? > > > > PS: As I today know, kerberos heimdal is practicaly dead as opensource > > project. Have FreeBSD planed switch to MIT Kerberos? > > I am know about security/krb5. > > > > IMHO the problem comes down to time. Patching an upstream project > increases maintenance cost for upgrading it. Every patch adds up. When > you become busy and don't have time to pay attention to every little > change made in a release, hearing 'removed tcpwrappers support' or > 'refactored the code for libssh usage' makes it sound like 1 more > thing you must deal with to upgrade that code base and more effort to > validate that your patches are right. We obviously don't want to just > drop in the latest code and throw it out there as broken. SSH is quite > critical and we want to ensure our changes are still right, and that > doing something like adding tcpwrappers back in won't introduce some > security bug that upstream was coy about. Some for as ports version? Or ports version different? Or port mantainer have more time (this is not to blame for DES)? I am just don't know what is different between port ssh and base ssh. We need ssh 6.x in base, not 7.x as in port (why?) and this is need independed work on pathes? I am missing somehow commonplace for others. From owner-freebsd-security@freebsd.org Thu Nov 12 00:05:08 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02A33A2CB8A; Thu, 12 Nov 2015 00:05:08 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B301B1DE2; Thu, 12 Nov 2015 00:05:07 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZwfNx-000C3J-MT; Thu, 12 Nov 2015 03:05:05 +0300 Date: Thu, 12 Nov 2015 03:05:05 +0300 From: Slawa Olhovchenkov To: Bryan Drewery Cc: Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151112000505.GG48728@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <56438660.5010508@FreeBSD.org> <20151111235606.GF48728@zxy.spb.ru> <5643D62B.8040603@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5643D62B.8040603@FreeBSD.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 00:05:08 -0000 On Wed, Nov 11, 2015 at 03:58:35PM -0800, Bryan Drewery wrote: > > Some for as ports version? > > Or ports version different? > > Or port mantainer have more time (this is not to blame for DES)? > > I am just don't know what is different between port ssh and base ssh. > > We need ssh 6.x in base, not 7.x as in port (why?) and this is need > > independed work on pathes? > > I am missing somehow commonplace for others. > > > > I am the ports maintainer. That was my opinion on why OpenSSH falls > behind. There is no real difference between the base and port version > except that the port version has some more optional patches, and is > easier to push updates for through ports and packages, rather than an > Errata through freebsd-update or a full release to get to the latest > OpenSSH version. This impact only to deploy, not to patch, right? Or bugs found around NPH/NONE patches? > There have been many times where the base version was more up-to-date > than the port as well due to the lack of a maintainer or the previously > mentioned patch blockers. From owner-freebsd-security@freebsd.org Thu Nov 12 00:06:54 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 342E1A2CCC1; Thu, 12 Nov 2015 00:06:54 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E351C1032; Thu, 12 Nov 2015 00:06:53 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZwfPf-000C5R-Pn; Thu, 12 Nov 2015 03:06:51 +0300 Date: Thu, 12 Nov 2015 03:06:51 +0300 From: Slawa Olhovchenkov To: Bryan Drewery Cc: Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151112000651.GH48728@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> <5643B3EB.1040002@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <5643B3EB.1040002@FreeBSD.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 00:06:54 -0000 On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > > I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). > > Fun fact, it's been broken in the port for several months with no > complaints. It was just reported and fixed upstream in the last day and > I wrote in a similar fix in the port. That speaks a lot about its usage > in the port currently. I am try using NPH/NONE with base ssh and confused: don't see performance rise, too complex to enable and too complex for use. From owner-freebsd-security@freebsd.org Wed Nov 11 23:58:41 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C044CA2C934; Wed, 11 Nov 2015 23:58:41 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id A712319A7; Wed, 11 Nov 2015 23:58:41 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 9E52D1C91; Wed, 11 Nov 2015 23:58:41 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 5A19712E25; Wed, 11 Nov 2015 23:58:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id mTaLbAIfHwLh; Wed, 11 Nov 2015 23:58:38 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com EAF2E12E20 To: Slawa Olhovchenkov References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <56438660.5010508@FreeBSD.org> <20151111235606.GF48728@zxy.spb.ru> Cc: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <5643D62B.8040603@FreeBSD.org> Date: Wed, 11 Nov 2015 15:58:35 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151111235606.GF48728@zxy.spb.ru> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="rdmSPKq4u6lOTXKlnn8nQbGD4p7Xaijl9" X-Mailman-Approved-At: Thu, 12 Nov 2015 00:29:41 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 23:58:41 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rdmSPKq4u6lOTXKlnn8nQbGD4p7Xaijl9 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/11/2015 3:56 PM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 10:18:08AM -0800, Bryan Drewery wrote: >=20 >> On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: >>> On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Sm=C3=B8rgrav wr= ote: >>> >>>> Bryan Drewery writes: >>>>> Another thing that I did with the port was restore the tcpwrapper >>>>> support that upstream removed. Again, if we decide it is not worth >>>>> keeping in base I will remove it as default in the port. >>>> >>>> I want to keep tcpwrapper support - it is another reason why I still= >>>> haven't upgraded OpenSSH, but to the best of my knowledge, it is far= >>>> less intrusive than HPN. >>> >>> Can you explain what is problem? >>> I am see openssh in base and openssh in ports (more recent version) >>> with same functionaly patches. >>> You talk about trouble to upgrade. What is root? >>> openssh in base have different vendor and/or license? >>> Or something else? >>> >>> PS: As I today know, kerberos heimdal is practicaly dead as opensourc= e >>> project. Have FreeBSD planed switch to MIT Kerberos? >>> I am know about security/krb5. >>> >> >> IMHO the problem comes down to time. Patching an upstream project >> increases maintenance cost for upgrading it. Every patch adds up. When= >> you become busy and don't have time to pay attention to every little >> change made in a release, hearing 'removed tcpwrappers support' or >> 'refactored the code for libssh usage' makes it sound like 1 mo= re >> thing you must deal with to upgrade that code base and more effort to >> validate that your patches are right. We obviously don't want to just >> drop in the latest code and throw it out there as broken. SSH is quite= >> critical and we want to ensure our changes are still right, and that >> doing something like adding tcpwrappers back in won't introduce some >> security bug that upstream was coy about. >=20 > Some for as ports version? > Or ports version different? > Or port mantainer have more time (this is not to blame for DES)? > I am just don't know what is different between port ssh and base ssh. > We need ssh 6.x in base, not 7.x as in port (why?) and this is need > independed work on pathes? > I am missing somehow commonplace for others. >=20 I am the ports maintainer. That was my opinion on why OpenSSH falls behind. There is no real difference between the base and port version except that the port version has some more optional patches, and is easier to push updates for through ports and packages, rather than an Errata through freebsd-update or a full release to get to the latest OpenSSH version. There have been many times where the base version was more up-to-date than the port as well due to the lack of a maintainer or the previously mentioned patch blockers. --=20 Regards, Bryan Drewery --rdmSPKq4u6lOTXKlnn8nQbGD4p7Xaijl9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWQ9YrAAoJEDXXcbtuRpfPqE4IAKXHlm28Awi7l5l4T7K9C421 stDsBANU5/huIwaIz1bVAqVwKhe58gA1Gb4sXwOQgGlykewJEl/dazvZLn/bZ4R6 A/p/p9CLKZaIO2UPq55tysZXHrU1BfgUY+zbke5sT06ICjuG1wYuMtQkruSm7qd9 2FYbXsbPn0FZ2LgeOvkdNCOtKBzZKUyUuKLGVmsV1E288+gwcBzVLWJGKWoyJ5jK gPkTeBA04fCUZdzhLOdwQr80vd4Cr7wWtq/INCZyxcYB2fNgvTp7DH7OudJyng6s KFmW/cgLZMzv+3Qw1z9ebrpWRJA3QzVKeO1JNB1ZFuucPC+ee33ZdNtDWbIRk2w= =6I9r -----END PGP SIGNATURE----- --rdmSPKq4u6lOTXKlnn8nQbGD4p7Xaijl9-- From owner-freebsd-security@freebsd.org Thu Nov 12 00:10:56 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43BBBA2CF0B; Thu, 12 Nov 2015 00:10:56 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 2B6111373; Thu, 12 Nov 2015 00:10:56 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 2402A10EE; Thu, 12 Nov 2015 00:10:56 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id CCE2712E8B; Thu, 12 Nov 2015 00:10:55 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id WUm0XT8q6hib; Thu, 12 Nov 2015 00:10:53 +0000 (UTC) Subject: Re: OpenSSH HPN DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 5BDB312E85 To: Slawa Olhovchenkov References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <56438660.5010508@FreeBSD.org> <20151111235606.GF48728@zxy.spb.ru> <5643D62B.8040603@FreeBSD.org> <20151112000505.GG48728@zxy.spb.ru> Cc: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Bryan Drewery Organization: FreeBSD Message-ID: <5643D90B.4020904@FreeBSD.org> Date: Wed, 11 Nov 2015 16:10:51 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151112000505.GG48728@zxy.spb.ru> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 12 Nov 2015 00:29:47 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 00:10:56 -0000 On 11/11/15 4:05 PM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 03:58:35PM -0800, Bryan Drewery wrote: > >>> Some for as ports version? >>> Or ports version different? >>> Or port mantainer have more time (this is not to blame for DES)? >>> I am just don't know what is different between port ssh and base ssh. >>> We need ssh 6.x in base, not 7.x as in port (why?) and this is need >>> independed work on pathes? >>> I am missing somehow commonplace for others. >>> >> >> I am the ports maintainer. That was my opinion on why OpenSSH falls >> behind. There is no real difference between the base and port version >> except that the port version has some more optional patches, and is >> easier to push updates for through ports and packages, rather than an >> Errata through freebsd-update or a full release to get to the latest >> OpenSSH version. > > This impact only to deploy, not to patch, right? It's harder to maintain the port version due to how the patches are applied and generated. That's only my problem though. > Or bugs found around NPH/NONE patches? > >> There have been many times where the base version was more up-to-date >> than the port as well due to the lack of a maintainer or the previously >> mentioned patch blockers. -- Regards, Bryan Drewery From owner-freebsd-security@freebsd.org Thu Nov 12 00:32:08 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2915A2B426 for ; Thu, 12 Nov 2015 00:32:08 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6D95C1444 for ; Thu, 12 Nov 2015 00:32:08 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by qgad10 with SMTP id d10so36983370qga.3 for ; Wed, 11 Nov 2015 16:32:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=J852u+nN5G41TsyvjSSTWfG7Vhg0pdGt9nLIt4HJx38=; b=E2mtRqYZLZKnOzLoxDocr2EPzWoFRTvvCZQUAO4++5zfWkMGMiKddhrf+LL5bqhDuN T4WY6sRXery2qlPxrhkzfDmjUif1/2W0kBN7mL1Ug7atf9JgCl74LiJfZ9Hy1aNrVRQQ /NAfasUsWtZ+vgdRZ7Gp8AR8B5A3XMryxmGfwUVPLULA5vX8mcCtAEOy7+m3DOOFQS0/ 386YrZpkG1Fjsdlg5M9moKik4ibWfh816pmathWagsNCL03TablMSWO3lUioP4y0CFxw HmpoeV+jRs0a96UFG9vbvjU8KsH8d2hN0sfAXhU3shll4lr7r88tRZdhN00xF2QnPpF8 fWDg== MIME-Version: 1.0 X-Received: by 10.140.33.139 with SMTP id j11mr13582545qgj.49.1447288327546; Wed, 11 Nov 2015 16:32:07 -0800 (PST) Received: by 10.140.32.75 with HTTP; Wed, 11 Nov 2015 16:32:07 -0800 (PST) In-Reply-To: References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111014102.GQ65715@funkthat.com> Date: Wed, 11 Nov 2015 19:32:07 -0500 Message-ID: Subject: Re: OpenSSH HPN From: Robert Simmons To: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 00:32:08 -0000 Oh just the opposite of what you're claiming. Did you even read the article about the Beyond Corp project? It is 100% about thinking very hard about trust and making sure that the trust model used doesn't depend on the concept of internal/external network. Also, the type of thinking where two or more machines are connected directly or are on their own separate network is what lands you in a situation like BACnet. Now you have a pentester with a vampire tap in the basement lobby sniffing your unencrypted traffic on your "trusted" BACnet. On Wed, Nov 11, 2015 at 6:47 PM, Leif Pedersen wrote: > On Wed, Nov 11, 2015 at 4:29 PM, Robert Simmons > wrote: > >> I don't think there is such a thing as a trusted network. That is a >> unicorn >> these days. >> >> No networks should be considered trusted. >> > > oh baloney. That's just a clever way to say you want to stop thinking > about trust. > > If I've connected two machines directly, that network is more trustworthy > than any encryption. This is not rare, but typical for system recovery, > which is where nc and ssh with the none cipher are highly useful. > > It's also not a bridge too far to claim a network is trusted when it has > 1000 computers on a special-purpose processing network with access only > allowed by the admins that built it, and perhaps an API. In those networks, > the nodes work together like storage and CPUs work together in a single > computer. The only difference is that SATA disks and x86 CPUs are replaced > by general-purpose computers running Cassandra and Nginx, connected by > ethernet, so that you can connect thousands together instead of dozens. Do > you always insist on encryption on your SATA cables and memory buses? > > That sort of special-purpose network is not rare either; rather it's > typical for internet services where the load is beyond what a single > machine can handle, or clusters that run models that are too large for a > single machine. > > Trustworthy networks do exist. They just aren't the same networks as 20 > years ago. > > -- > > As implied by email protocols, the information in this message is > not confidential. Any middle-man or recipient may inspect, modify, > copy, forward, reply to, delete, or filter email for any purpose unless > said parties are otherwise obligated. As the sender, I acknowledge that > I have a lower expectation of the control and privacy of this message > than I would a post-card. Further, nothing in this message is > legally binding without cryptographic evidence of its integrity. > > http://bilbo.hobbiton.org/wiki/Eat_My_Sig > From owner-freebsd-security@freebsd.org Thu Nov 12 01:05:50 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BB0FA2BD7C for ; Thu, 12 Nov 2015 01:05:50 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C18115EB for ; Thu, 12 Nov 2015 01:05:49 +0000 (UTC) (envelope-from marquis@roble.com) Date: Wed, 11 Nov 2015 17:05:48 -0800 (PST) From: Roger Marquis To: Leif Pedersen cc: Robert Simmons , "freebsd-security@freebsd.org" Subject: Re: OpenSSH HPN In-Reply-To: References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111014102.GQ65715@funkthat.com> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 01:05:50 -0000 > Trustworthy networks do exist. They just aren't the same networks as 20 > years ago. They do of course but is that really relevant considering how rare verifyably trustworthy networks are, particularly in light of what we know about NONE cipher usage? The same logic applies to SCTP. It is little used, has been the source of multiple vulnerabilities, but still exists in GENERIC. Since both of these security issues can be easily compiled around I only wonder why FreeBSD doesn't default to the more secure defaults. Roger Marquis From owner-freebsd-security@freebsd.org Thu Nov 12 09:53:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9225A2B6DB; Thu, 12 Nov 2015 09:53:31 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id B0BE81843; Thu, 12 Nov 2015 09:53:31 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id C217E2DFF; Thu, 12 Nov 2015 09:53:26 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 6A1E83FA9B; Thu, 12 Nov 2015 10:53:24 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Bryan Drewery Cc: Slawa Olhovchenkov , freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <56438660.5010508@FreeBSD.org> <20151111235606.GF48728@zxy.spb.ru> <5643D62B.8040603@FreeBSD.org> <20151112000505.GG48728@zxy.spb.ru> <5643D90B.4020904@FreeBSD.org> Date: Thu, 12 Nov 2015 10:53:24 +0100 In-Reply-To: <5643D90B.4020904@FreeBSD.org> (Bryan Drewery's message of "Wed, 11 Nov 2015 16:10:51 -0800") Message-ID: <86mvuja6i3.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 09:53:32 -0000 Bryan Drewery writes: > It's harder to maintain the port version due to how the patches are > applied and generated. I have the diametrically opposite experience. The workflow for ports is significantly simpler than for base. Perhaps I should set up a paralell workflow for OpenSSH and apply the output of that workflow to the source tree instead of working entirely within the source tree. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Thu Nov 12 12:58:26 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3FA92A2B32D; Thu, 12 Nov 2015 12:58:26 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: from mail-lf0-x242.google.com (mail-lf0-x242.google.com [IPv6:2a00:1450:4010:c07::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A77F91B1C; Thu, 12 Nov 2015 12:58:25 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: by lffz63 with SMTP id z63so3362151lff.1; Thu, 12 Nov 2015 04:58:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+YEbeAx94sUHRbCNQAyX/9q23YDGp6XAvav9UHCHOCQ=; b=zTuYbNTHOXplN5TSf24MKKj5EyKloUZ16UIfom8voyUMuiZTLmec9aKz/FiRq1q1Uk QrsBHNvCDl2AdBdYUSdZI/thGqOFcDH2uBQqPqd9+kBbJpk+XEZ1pYTl0xC087r384As qhM5CtKGCEXB7qBb+Mo7IQ1Wy0XE4PcY/gK1wHb+djpZ44Aw7VAzqVDLESNj+kQkIg+i xplnpp4DrqQuLzgwj6oaMdbDSJ7mgbPeOx8AGhpkVsMunNpE1W5Z6F8krrBrnpnIQKh+ UAhEUP/EJBY+uvk0PHPaBi12KWYnKTXIKw9Gv06YwwQfQ05pnRIJM8AxpMnXMGlYTm7s SlVw== MIME-Version: 1.0 X-Received: by 10.25.30.5 with SMTP id e5mr7055112lfe.48.1447333103788; Thu, 12 Nov 2015 04:58:23 -0800 (PST) Received: by 10.25.41.145 with HTTP; Thu, 12 Nov 2015 04:58:23 -0800 (PST) In-Reply-To: <20151111184448.GR31314@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <86io58flhk.fsf@desk.des.no> <20151111184448.GR31314@zxy.spb.ru> Date: Thu, 12 Nov 2015 23:58:23 +1100 Message-ID: Subject: Re: OpenSSH HPN From: Dewayne Geraghty To: Slawa Olhovchenkov Cc: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , freebsd-security@freebsd.org, freebsd-current@freebsd.org, Bryan Drewery X-Mailman-Approved-At: Thu, 12 Nov 2015 13:22:17 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 12:58:26 -0000 Slawa, Heimdal is (and has been for some time) undergoing constant development. For reasons unknown, they do not perform releases. I am aware of updates from heimdal that are being applied to the samba project (in fact some of the samba developers are also feeding into heimdal). The latest discussion was that the heimdal project are going to release a 1.7 "sometime", skipping 1.6 completely. Des - good to make your intentions public. I've enjoyed your youtube presentations and recognise that your time will be better spent. ( better authentication perhaps ;) ) Bryan - is doing a good job of looking after the openssh port. And if folks really need those additional features, then that is the place to enhance the "standard" offering; which can be upgraded in a pretty straightforward manner. Thought-provoking use of inetd perhaps its time to revisit as (an additional) DOS measure(?) Regards, Dewayne. PS My apologies for the repetition Slawa, I meant to reply all earlier. I'm recently becoming familiar with the gmail interface. On Thu, Nov 12, 2015 at 5:44 AM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 07:18:31PM +0100, Dag-Erling Sm=C3=B8rgrav wrote: > > > Slawa Olhovchenkov writes: > > > Can you explain what is problem? > > > > Radical suggestion: read the first email in the thread. > > I am read and don't understund (you talk about trouble of maintaining > the HPN patches). > I see patched version in ports. This version maintaining. > What is problem? Differnt openssh? Quality of patches? > Different branches? > ports branch is worse (by some reaason) base branch? > > > > PS: As I today know, kerberos heimdal is practicaly dead as opensourc= e > > > project. Have FreeBSD planed switch to MIT Kerberos? I am know about > > > security/krb5. > > > > We switched from MIT to Heimdal at some point in the past for some > > reason I don't remember. MIT and Heimdal are *not* interchangeable at > > I think because MIT stop development in the past. > > > the source or binary level, so switching back is not trivial. > > I am know about this. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > From owner-freebsd-security@freebsd.org Fri Nov 13 02:28:55 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2E90A2DE0C; Fri, 13 Nov 2015 02:28:55 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 145661183; Fri, 13 Nov 2015 02:28:54 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074423-f797f6d0000023d0-46-56454adf996b Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 1F.65.09168.FDA45465; Thu, 12 Nov 2015 21:28:47 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id tAD2Sk31030902; Thu, 12 Nov 2015 21:28:46 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tAD2ShUX027633 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Nov 2015 21:28:46 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id tAD2Sgug024123; Thu, 12 Nov 2015 21:28:42 -0500 (EST) Date: Thu, 12 Nov 2015 21:28:41 -0500 (EST) From: Benjamin Kaduk To: Dewayne Geraghty cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN In-Reply-To: Message-ID: References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <86io58flhk.fsf@desk.des.no> <20151111184448.GR31314@zxy.spb.ru> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrAIsWRmVeSWpSXmKPExsUixCmqrXvfyzXM4OM0GYub+yexW8x584HJ omfTEzYHZo8Zn+azeOycdZc9gCmKyyYlNSezLLVI3y6BK2P7r9iCqzwVs3rTGxhncnUxcnBI CJhI/Lgg3MXICWSKSVy4t56ti5GLQ0hgMZPEhKsfGEESQgIbGSWenM6CSBxikjh6+jBUVQOj xNxXW8CqWAS0JZ5dvs4EYrMJqEjMfLORDcQWETCQuH3hJJjNLGArsXDzKjBbWEBC4tmfTawg NqdAoMSV1zeYQWxeAUeJzT9/MUEseM0k8WvBEbCEqICOxOr9U1ggigQlTs58wgIxVEti+fRt LBMYBWchSc1CklrAyLSKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI10wvN7NELzWldBMjKGDZXZR3 MP45qHSIUYCDUYmHd8cLlzAh1sSy4srcQ4ySHExKorxfPVzDhPiS8lMqMxKLM+KLSnNSiw8x SnAwK4nwLn4GVM6bklhZlVqUD5OS5mBREufd9IMvREggPbEkNTs1tSC1CCYrw8GhJMHrD4xM IcGi1PTUirTMnBKENBMHJ8hwHqDhUzyBaniLCxJzizPTIfKnGBWlxHmngyQEQBIZpXlwveCE sptJ9RWjONArwrw7QKp4gMkIrvsV0GAmoMFfJJxABpckIqSkGhin/Yv7ej/+7+NZ/6YdFD70 0EOUcb3lxktlV+x1e4XjSt+K5vt7ck71EdIUEXd4//oER/i2d861oh/2Ok6S82ZYHf7kd2bb k+6y749u6rN8tBZr+j6VJZKjZqH+o5MZ8X1pKhsfeLyd/cjQ2mnusvx/3flZ394kXP+ss3dq 4Grb2yu/HPrRvWeWEktxRqKhFnNRcSIAyXEvZQMDAAA= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 02:28:55 -0000 On Thu, 12 Nov 2015, Dewayne Geraghty wrote: > Heimdal is (and has been for some time) undergoing constant development. > For reasons unknown, they do not perform releases. I am aware of updates > from heimdal that are being applied to the samba project (in fact some of > the samba developers are also feeding into heimdal). The latest discussion > was that the heimdal project are going to release a 1.7 "sometime", > skipping 1.6 completely. Things seem to have slowed down a lot since the lead Heimdal developer got hired for Apple. They have Apple-internal changes that don't necessarily make their way back to the public project right away, and he is quite busy. There is no one who is employed to be a Heimdal release manager, and the main developers all have other projects -- putting out a release takes a fair bit of energy. MIT employs developers whose job descriptions include being the krb5 release manager, so there is financial support for putting out regular releases. Heimdal has changed plans to a 1.7 release because certain Linux distributions packaged a snapshot of the 1.6 tree (to support Samba, as I understand it), but then Heimdal development continued so that what would be in the next release would not really reflect what was already deployed using the 1.6 label. As I understand it, there are still a couple bugfixes/features that are considered to be blockers for the 1.7 release that have not been implemented yet, and since the developers in question are being paid to work on other things, there is no real timeline for the release. -Ben Kaduk From owner-freebsd-security@freebsd.org Fri Nov 13 02:30:20 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53648A2DF63; Fri, 13 Nov 2015 02:30:20 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 132C613A6; Fri, 13 Nov 2015 02:30:19 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-243-9.lns20.per4.internode.on.net [121.45.243.9]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tAD2U3fB000611 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 12 Nov 2015 18:30:06 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: OpenSSH HPN To: Brooks Davis , Bryan Drewery References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <20151111192806.GB44561@spindle.one-eyed-alien.net> Cc: Dag-Erling Sm??rgrav , freebsd-current@freebsd.org, freebsd-security@freebsd.org From: Julian Elischer Message-ID: <56454B26.7050300@freebsd.org> Date: Fri, 13 Nov 2015 10:29:58 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151111192806.GB44561@spindle.one-eyed-alien.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 02:30:20 -0000 On 11/12/15 3:28 AM, Brooks Davis wrote: > On Tue, Nov 10, 2015 at 04:40:42PM -0800, Bryan Drewery wrote: >> On 11/10/15 1:42 AM, Dag-Erling Sm??rgrav wrote: >>> Some of you may have noticed that OpenSSH in base is lagging far behind >>> the upstream code. >>> >>> The main reason for this is the burden of maintaining the HPN patches. >>> They are extensive, very intrusive, and touch parts of the OpenSSH code >>> that change significantly in every release. Since they are not >>> regularly updated, I have to choose between trying to resolve the >>> conflicts myself (hoping I don't break anything) or waiting for them to >>> catch up and then figuring out how to apply the new version. >>> >>> Therefore, I would like to remove the HPN patches from base and refer >>> anyone who really needs them to the openssh-portable port, which has >>> them as a default option. I would also like to remove the NONE cipher >>> patch, which is also available in the port (off by default, just like in >>> base). >> I had this same problem as well, but have since reworked the HPN patch >> for ports to be more easily maintained. I've considered offering or >> just updating the base SSH, but have not since we have random changes in >> the HPN functionality in base that would be lost. We for some reason >> decided we were going to maintain our own version and not even upstream >> the changes to the HPN authors which has contributed to this situation. > We had ever intention of upstreaming our cleaned up HPN patches and some > interest from OpenSSH devs to take the window scaling portion of the > patch upstream, but other things intruded and we never found time to > complete that work. I think both the window scaling and NONE cipher > changes are useful, but do not have time to do anything with them. I'm > fine with them being removed from base and replaced or just dropped if > they are in the way of progress. it would be nice if the outcome of this thread was that HPN patches (or something equivalent) were available by default in OpenSSH. WE also have our own patch we add to give a NODELAY option. It made a huge difference with tunnels where lots of small RPC packets were being sent. I'll look at getting it into upstream. > > -- Brooks From owner-freebsd-security@freebsd.org Fri Nov 13 02:31:46 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73C33A2C16C; Fri, 13 Nov 2015 02:31:46 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E63518F1; Fri, 13 Nov 2015 02:31:45 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-243-9.lns20.per4.internode.on.net [121.45.243.9]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tAD2VbaH000624 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 12 Nov 2015 18:31:40 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: OpenSSH HPN To: Bryan Drewery , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-current@freebsd.org, freebsd-security@freebsd.org References: <86io5a9ome.fsf@desk.des.no> <5643B3EB.1040002@FreeBSD.org> From: Julian Elischer Message-ID: <56454B84.2080008@freebsd.org> Date: Fri, 13 Nov 2015 10:31:32 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5643B3EB.1040002@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 02:31:46 -0000 On 11/12/15 5:32 AM, Bryan Drewery wrote: > On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: >> I would also like to remove the NONE cipher >> patch, which is also available in the port (off by default, just like in >> base). > Fun fact, it's been broken in the port for several months with no > complaints. It was just reported and fixed upstream in the last day and > I wrote in a similar fix in the port. That speaks a lot about its usage > in the port currently. > we use it all the time, we just don't update all that often. From owner-freebsd-security@freebsd.org Fri Nov 13 06:47:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1417BA2EAA1; Fri, 13 Nov 2015 06:47:45 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C3CE61ABC; Fri, 13 Nov 2015 06:47:44 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 06D6B2263; Fri, 13 Nov 2015 06:47:44 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 09C3D3FB8D; Fri, 13 Nov 2015 07:47:24 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Benjamin Kaduk Cc: Dewayne Geraghty , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <86io58flhk.fsf@desk.des.no> <20151111184448.GR31314@zxy.spb.ru> Date: Fri, 13 Nov 2015 07:47:24 +0100 In-Reply-To: (Benjamin Kaduk's message of "Thu, 12 Nov 2015 21:28:41 -0500 (EST)") Message-ID: <86egfu9z0j.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 06:47:45 -0000 Benjamin Kaduk writes: > Things seem to have slowed down a lot since the lead Heimdal developer > got hired for Apple. [...] MIT employs developers whose job > descriptions include being the krb5 release manager [...] Heimdal has > changed plans to a 1.7 release [...] and since the developers in > question are being paid to work on other things, there is no real > timeline for the release. Given this state of affairs, it might not be unreasonable to consider switching back for 11. There should be enough time, provided our Kerberos maintainers have some spare cycles. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Nov 13 23:52:09 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 31D76A2E196; Fri, 13 Nov 2015 23:52:09 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E1DAF17A6; Fri, 13 Nov 2015 23:52:08 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by qkao63 with SMTP id o63so64212496qka.2; Fri, 13 Nov 2015 15:52:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=hqeQnNYCXR28rKgGYWw1tnRCp1ZJuRHez1IIsI8bg4M=; b=c1cXSuUWUnhfUKeTzP9P7ahZpma7DoG1MJIkdSI6lb19mPD5vCmOq0jpRBzfI0YIoj LczCDL/m/UyBAfS2uTQP5Pax477cH4Kyt4g53ELHLpqtl5hmecXCeE0mfJ8bvAzO3w88 J80NnxLVL66FNSOS/adsDeu6rqjAfDy9a+ETShzs4e7S4Q2S0+AWWH29GzmzEh/m6afv V2bqkIg9FATUk0c8lJAgkDqDv0IVWNvs5+SjSsqGOLmkdaKtVE6bNkqr4U7FdGL/TSdW L1EM7qecLNvZnL3OV2jpU8H7GBbOMVeupvToEAQbChuTu5db/vWy1PckbsoSWrIzFfKr Ikrw== MIME-Version: 1.0 X-Received: by 10.140.91.135 with SMTP id z7mr24366845qgd.91.1447458727932; Fri, 13 Nov 2015 15:52:07 -0800 (PST) Received: by 10.140.32.75 with HTTP; Fri, 13 Nov 2015 15:52:07 -0800 (PST) Date: Fri, 13 Nov 2015 18:52:07 -0500 Message-ID: Subject: java/openjdk8 and jre From: Robert Simmons To: freebsd-security@freebsd.org Cc: "ports-secteam@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 23:52:09 -0000 Greetings, The following security vulnerability bug was reported about a week ago. Can someone mark the ports as insecure, please? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204269