Date: Wed, 29 May 2013 14:50:52 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, bdrewery@freebsd.org Subject: Re: svn commit: r251088 - head/crypto/openssh Message-ID: <20130529125052.GA1383@garage.freebsd.pl> In-Reply-To: <86zjve3qv2.fsf@nine.des.no> References: <201305290019.r4T0JxLE011755@svn.freebsd.org> <20130529070952.GA1400@garage.freebsd.pl> <86zjve3qv2.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
--fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 29, 2013 at 02:36:17PM +0200, Dag-Erling Sm=F8rgrav wrote: > Pawel Jakub Dawidek <pjd@FreeBSD.org> writes: > > Which library is needed for AES-NI? I don't see any engine in /usr/lib/ > > that implements AES-NI support. Could you be more specific? >=20 > Ah, you're right. Bryan (cc:ed) did the analysis and I misunderstood > his report. I just ran through the steps to reproduce the issue, and > what happens is that a CRIOGET ioctl cal (which is supposed to allocate > and return a file descriptor) fails due to setrlimit(RLIMIT_FSIZE, 0): >=20 > 90344 sshd CALL setrlimit(RLIMIT_NOFILE,0x7fffffffca10) > 90344 sshd RET setrlimit 0 > [...] > 90344 sshd CALL ioctl(0x3,CRIOGET,0x7fffffffcb4c) > 90344 sshd RET ioctl -1 errno 24 Too many open files >=20 > Note that you have to remove the setrlimit(RLIMIT_FSIZE, 0) call in > sandbox-rlimit.c to debug this, otherwise ktrace stops at that point: >=20 > May 29 12:10:37 zoo2 kernel: ktrace write failed, errno 27, tracing stopp= ed=20 >=20 > To reproduce: >=20 > # ktrace -tcnstuy -di env LD_UTRACE=3Dyes /usr/sbin/sshd -oUsePrivilegeSe= paration=3Dsandbox -Dddd -oPort=3D2222 -oListenAddress=3Dlocalhost >=20 > followed by >=20 > % ssh -c aes128-cbc -p 2222 localhost >=20 > on a machine with an AESNI-capable CPU and aesni.ko loaded. AES-NI doesn't have to go through kernel at all and doing so is much slower. Not sure if our OpenSSL version already has native AES-NI support. If not it would be best to upgrade it. This would fix AES-NI at least. Other crypto HW that do need kernel driver would still need something here. I wonder if CRIOGET can't be done before setting rlimit. How does it work on OpenBSD then? > > Also what is the exact difference between "sandbox" and "yes" settings? >=20 > "sandbox" enables sandboxing (no surprise) which in FreeBSD's case means > a bunch of rlimit settings. I thought that simple "yes" setting does chroot to /var/empty, drops privileges to sshd user/group and sets rlimit? I'm trying to figure out the difference between those two settings. > > The reason I ask is because I plan to experiment with OpenSSH sandboxing > > to use Capsicum and Casper. >=20 > You still have the patches I sent you? Probably somewhere in my INBOX. If you have them handy can you please resend them? --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGl+awACgkQForvXbEpPzSQ2QCg4Rd8ricVkUU7xRd+8/sEWdv3 TAwAoIJZDDC2W3fUllt4f62suXTzxWuu =a7Dr -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130529125052.GA1383>