svn commit: r251088 - head/crypto/openssh

Pawel Jakub Dawidek pjd at FreeBSD.org
Wed May 29 12:48:01 UTC 2013 

On Wed, May 29, 2013 at 02:36:17PM +0200, Dag-Erling Smørgrav wrote:
> Pawel Jakub Dawidek <pjd at FreeBSD.org> writes:
> > Which library is needed for AES-NI? I don't see any engine in /usr/lib/
> > that implements AES-NI support. Could you be more specific?
> 
> Ah, you're right.  Bryan (cc:ed) did the analysis and I misunderstood
> his report.  I just ran through the steps to reproduce the issue, and
> what happens is that a CRIOGET ioctl cal (which is supposed to allocate
> and return a file descriptor) fails due to setrlimit(RLIMIT_FSIZE, 0):
> 
>  90344 sshd     CALL  setrlimit(RLIMIT_NOFILE,0x7fffffffca10)
>  90344 sshd     RET   setrlimit 0
>  [...]
>  90344 sshd     CALL  ioctl(0x3,CRIOGET,0x7fffffffcb4c)
>  90344 sshd     RET   ioctl -1 errno 24 Too many open files
> 
> Note that you have to remove the setrlimit(RLIMIT_FSIZE, 0) call in
> sandbox-rlimit.c to debug this, otherwise ktrace stops at that point:
> 
> May 29 12:10:37 zoo2 kernel: ktrace write failed, errno 27, tracing stopped 
> 
> To reproduce:
> 
> # ktrace -tcnstuy -di env LD_UTRACE=yes /usr/sbin/sshd -oUsePrivilegeSeparation=sandbox -Dddd -oPort=2222 -oListenAddress=localhost
> 
> followed by
> 
> % ssh -c aes128-cbc -p 2222 localhost
> 
> on a machine with an AESNI-capable CPU and aesni.ko loaded.

AES-NI doesn't have to go through kernel at all and doing so is much
slower. Not sure if our OpenSSL version already has native AES-NI
support. If not it would be best to upgrade it.  This would fix AES-NI
at least. Other crypto HW that do need kernel driver would still need
something here. I wonder if CRIOGET can't be done before setting rlimit.
How does it work on OpenBSD then?

> > Also what is the exact difference between "sandbox" and "yes" settings?
> 
> "sandbox" enables sandboxing (no surprise) which in FreeBSD's case means
> a bunch of rlimit settings.

I thought that simple "yes" setting does chroot to /var/empty, drops
privileges to sshd user/group and sets rlimit? I'm trying to figure out
the difference between those two settings.

> > The reason I ask is because I plan to experiment with OpenSSH sandboxing
> > to use Capsicum and Casper.
> 
> You still have the patches I sent you?

Probably somewhere in my INBOX. If you have them handy can you please
resend them?

-- 
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20130529/951418a2/attachment.sig>

More information about the svn-src-all mailing list