From owner-svn-src-head@FreeBSD.ORG Wed May 29 12:48:01 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8D97827B; Wed, 29 May 2013 12:48:01 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 5751B9C2; Wed, 29 May 2013 12:48:01 +0000 (UTC) Received: from localhost (58.wheelsystems.com [83.12.187.58]) by mail.dawidek.net (Postfix) with ESMTPSA id 763A6A69; Wed, 29 May 2013 14:43:47 +0200 (CEST) Date: Wed, 29 May 2013 14:50:52 +0200 From: Pawel Jakub Dawidek To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Subject: Re: svn commit: r251088 - head/crypto/openssh Message-ID: <20130529125052.GA1383@garage.freebsd.pl> References: <201305290019.r4T0JxLE011755@svn.freebsd.org> <20130529070952.GA1400@garage.freebsd.pl> <86zjve3qv2.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline In-Reply-To: <86zjve3qv2.fsf@nine.des.no> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, bdrewery@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2013 12:48:01 -0000 --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 29, 2013 at 02:36:17PM +0200, Dag-Erling Sm=F8rgrav wrote: > Pawel Jakub Dawidek writes: > > Which library is needed for AES-NI? I don't see any engine in /usr/lib/ > > that implements AES-NI support. Could you be more specific? >=20 > Ah, you're right. Bryan (cc:ed) did the analysis and I misunderstood > his report. I just ran through the steps to reproduce the issue, and > what happens is that a CRIOGET ioctl cal (which is supposed to allocate > and return a file descriptor) fails due to setrlimit(RLIMIT_FSIZE, 0): >=20 > 90344 sshd CALL setrlimit(RLIMIT_NOFILE,0x7fffffffca10) > 90344 sshd RET setrlimit 0 > [...] > 90344 sshd CALL ioctl(0x3,CRIOGET,0x7fffffffcb4c) > 90344 sshd RET ioctl -1 errno 24 Too many open files >=20 > Note that you have to remove the setrlimit(RLIMIT_FSIZE, 0) call in > sandbox-rlimit.c to debug this, otherwise ktrace stops at that point: >=20 > May 29 12:10:37 zoo2 kernel: ktrace write failed, errno 27, tracing stopp= ed=20 >=20 > To reproduce: >=20 > # ktrace -tcnstuy -di env LD_UTRACE=3Dyes /usr/sbin/sshd -oUsePrivilegeSe= paration=3Dsandbox -Dddd -oPort=3D2222 -oListenAddress=3Dlocalhost >=20 > followed by >=20 > % ssh -c aes128-cbc -p 2222 localhost >=20 > on a machine with an AESNI-capable CPU and aesni.ko loaded. AES-NI doesn't have to go through kernel at all and doing so is much slower. Not sure if our OpenSSL version already has native AES-NI support. If not it would be best to upgrade it. This would fix AES-NI at least. Other crypto HW that do need kernel driver would still need something here. I wonder if CRIOGET can't be done before setting rlimit. How does it work on OpenBSD then? > > Also what is the exact difference between "sandbox" and "yes" settings? >=20 > "sandbox" enables sandboxing (no surprise) which in FreeBSD's case means > a bunch of rlimit settings. I thought that simple "yes" setting does chroot to /var/empty, drops privileges to sshd user/group and sets rlimit? I'm trying to figure out the difference between those two settings. > > The reason I ask is because I plan to experiment with OpenSSH sandboxing > > to use Capsicum and Casper. >=20 > You still have the patches I sent you? Probably somewhere in my INBOX. If you have them handy can you please resend them? --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGl+awACgkQForvXbEpPzSQ2QCg4Rd8ricVkUU7xRd+8/sEWdv3 TAwAoIJZDDC2W3fUllt4f62suXTzxWuu =a7Dr -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7--