svn commit: r251088 - head/crypto/openssh
Pawel Jakub Dawidek
pjd at FreeBSD.org
Wed May 29 07:07:08 UTC 2013
On Wed, May 29, 2013 at 12:19:59AM +0000, Dag-Erling Smørgrav wrote:
> Author: des
> Date: Wed May 29 00:19:58 2013
> New Revision: 251088
> URL: http://svnweb.freebsd.org/changeset/base/251088
>
> Log:
> Revert a local change that sets the default for UsePrivilegeSeparation to
> "sandbox" instead of "yes". In sandbox mode, the privsep child is unable
> to load additional libraries and will therefore crash when trying to take
> advantage of crypto offloading on CPUs that support it.
Which library is needed for AES-NI? I don't see any engine in /usr/lib/
that implements AES-NI support. Could you be more specific?
Also what is the exact difference between "sandbox" and "yes" settings?
The reason I ask is because I plan to experiment with OpenSSH sandboxing
to use Capsicum and Casper.
> Modified:
> head/crypto/openssh/servconf.c
>
> Modified: head/crypto/openssh/servconf.c
> ==============================================================================
> --- head/crypto/openssh/servconf.c Wed May 29 00:18:12 2013 (r251087)
> +++ head/crypto/openssh/servconf.c Wed May 29 00:19:58 2013 (r251088)
> @@ -298,7 +298,7 @@ fill_default_server_options(ServerOption
> options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
> /* Turn privilege separation on by default */
> if (use_privsep == -1)
> - use_privsep = PRIVSEP_ON;
> + use_privsep = PRIVSEP_NOSANDBOX;
>
> #ifndef HAVE_MMAP
> if (use_privsep && options->compression == 1) {
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://mobter.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20130529/c8fe4bd8/attachment.sig>
More information about the svn-src-head
mailing list