Re: HPN and None options in OpenSSH
On Mon, Jan 25, 2016 at 12:28:20PM +0100, Jan Bramkamp wrote: > > > On 24/01/16 15:50, Dag-Erling Smørgrav wrote: > > Slawa Olhovchenkovwrites: > >> Can you do some small discurs about ssh+kerberos? > >> I am try to use FreeBSD with $HOME over kerberoized NFS. > >> For kerberoized NFS gssd need to find cache file "called > >> /tmp/krb5cc_, where is the effective uid for the RPC > >> caller" (from `man gssd`). > >> > >> sshd contrary create cache file for received ticket called > >> /tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is > >> this strong security requirement or [FreeBSD/upstream] can be patched > >> (or introduce option) to use /tmp/krb5cc_ as cache file for > >> received ticket? > > > > I wasn't aware of that. It should be easy to patch, but in the > > meantime, you can try something like this in .bashrc or whatever: > > > > krb5cc_uid="/tmp/krb5cc_$(id -u)" > > if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then > > if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then > > export KRB5CCNAME="${krb5ccuid}" > > else > > echo "Unable to rename krb5 credential cache" >&2 > > fi > > fi > > unset krb5ccuid > > If $KRB5CCNAME is set during PAM session setup than the pam_exec module > might allow a reliable implementation along those lines: > >- Stop if $KRBCCNAME is invalid (klist -t) >- Stop if /tmp/krb5cc_$UID is already valid and has enough time left >- Copy the ticket to /tmp and rename it to /tmp/krb5cc_$UID. > > Keep in mind that this approach leaves valid tickets in /tmp after the > SSH session ends while OpenSSH normally does its best to tie forwarded > tickets to a SSH session. Please check me: you propose to add to /etc/pam.d/sshd string like session requiredpam_exec.so /patch/to/some/scripts and do above checks in this scripts? 'session' executed after 'account' phase, on 'account' phase NFS must be already accessed (for checks presents some files in $HOME and importing/executing/interpretating, like .login_conf, .k5login and etc). ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
On 24/01/16 15:50, Dag-Erling Smørgrav wrote: Slawa Olhovchenkovwrites: Can you do some small discurs about ssh+kerberos? I am try to use FreeBSD with $HOME over kerberoized NFS. For kerberoized NFS gssd need to find cache file "called /tmp/krb5cc_, where is the effective uid for the RPC caller" (from `man gssd`). sshd contrary create cache file for received ticket called /tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is this strong security requirement or [FreeBSD/upstream] can be patched (or introduce option) to use /tmp/krb5cc_ as cache file for received ticket? I wasn't aware of that. It should be easy to patch, but in the meantime, you can try something like this in .bashrc or whatever: krb5cc_uid="/tmp/krb5cc_$(id -u)" if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then export KRB5CCNAME="${krb5ccuid}" else echo "Unable to rename krb5 credential cache" >&2 fi fi unset krb5ccuid If $KRB5CCNAME is set during PAM session setup than the pam_exec module might allow a reliable implementation along those lines: - Stop if $KRBCCNAME is invalid (klist -t) - Stop if /tmp/krb5cc_$UID is already valid and has enough time left - Copy the ticket to /tmp and rename it to /tmp/krb5cc_$UID. Keep in mind that this approach leaves valid tickets in /tmp after the SSH session ends while OpenSSH normally does its best to tie forwarded tickets to a SSH session. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
On Fri, Jan 22, 2016 at 03:31:22PM +0100, Dag-Erling Smørgrav wrote: > The HPN and None cipher patches have been removed from FreeBSD-CURRENT. > I intend to remove them from FreeBSD-STABLE this weekend. Can you do some small discurs about ssh+kerberos? I am try to use FreeBSD with $HOME over kerberoized NFS. For kerberoized NFS gssd need to find cache file "called /tmp/krb5cc_, where is the effective uid for the RPC caller" (from `man gssd`). sshd contrary create cache file for received ticket called /tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is this strong security requirement or [FreeBSD/upstream] can be patched (or introduce option) to use /tmp/krb5cc_ as cache file for received ticket? ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
On Sun, Jan 24, 2016 at 03:50:45PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkovwrites: > > Can you do some small discurs about ssh+kerberos? > > I am try to use FreeBSD with $HOME over kerberoized NFS. > > For kerberoized NFS gssd need to find cache file "called > > /tmp/krb5cc_, where is the effective uid for the RPC > > caller" (from `man gssd`). > > > > sshd contrary create cache file for received ticket called > > /tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is > > this strong security requirement or [FreeBSD/upstream] can be patched > > (or introduce option) to use /tmp/krb5cc_ as cache file for > > received ticket? > > I wasn't aware of that. It should be easy to patch, but in the Yes, I am already do ugly patch for me (2 files need to patch), but patch in upstream preffered. > meantime, you can try something like this in .bashrc or whatever: Imposible. For accessing .bashrc on kerberoized NFS need correct /tmp/krb5cc_. > krb5cc_uid="/tmp/krb5cc_$(id -u)" > if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then > if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then > export KRB5CCNAME="${krb5ccuid}" > else > echo "Unable to rename krb5 credential cache" >&2 > fi > fi > unset krb5ccuid > > DES > -- > Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
On Sun, Jan 24, 2016 at 04:21:17PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkovwrites: > > OK, what about tcsh, zsh, fish and scp/sftp? > > I apologize for trying to help you out by suggesting a hack that works > at least some of the time until I can get a permanent fix in. I should > instead have hopped in my time machine, jumped back a few years, and > fixed the bug before it affected you. No hard feelings? Sorry about not clear exposition. I think this is not hack nor permanent solution and decline modification ssh source. I am already have working solution (localy apllied patch at time `make release`). I can show my ugly patch, but I think his partially not clear and not all edge cases checked. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
Slawa Olhovchenkovwrites: > Can you do some small discurs about ssh+kerberos? > I am try to use FreeBSD with $HOME over kerberoized NFS. > For kerberoized NFS gssd need to find cache file "called > /tmp/krb5cc_, where is the effective uid for the RPC > caller" (from `man gssd`). > > sshd contrary create cache file for received ticket called > /tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is > this strong security requirement or [FreeBSD/upstream] can be patched > (or introduce option) to use /tmp/krb5cc_ as cache file for > received ticket? I wasn't aware of that. It should be easy to patch, but in the meantime, you can try something like this in .bashrc or whatever: krb5cc_uid="/tmp/krb5cc_$(id -u)" if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then export KRB5CCNAME="${krb5ccuid}" else echo "Unable to rename krb5 credential cache" >&2 fi fi unset krb5ccuid DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
Slawa Olhovchenkovwrites: > Dag-Erling Smørgrav writes: > > In the meantime, you can try something like this in .bashrc or > > whatever: > Imposible. For accessing .bashrc on kerberoized NFS need correct > /tmp/krb5cc_. /etc/profile, then. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
On Sun, Jan 24, 2016 at 04:09:05PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkovwrites: > > Dag-Erling Smørgrav writes: > > > In the meantime, you can try something like this in .bashrc or > > > whatever: > > Imposible. For accessing .bashrc on kerberoized NFS need correct > > /tmp/krb5cc_. > > /etc/profile, then. OK, what about tcsh, zsh, fish and scp/sftp? ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
Slawa Olhovchenkovwrites: > OK, what about tcsh, zsh, fish and scp/sftp? I apologize for trying to help you out by suggesting a hack that works at least some of the time until I can get a permanent fix in. I should instead have hopped in my time machine, jumped back a few years, and fixed the bug before it affected you. No hard feelings? DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
On Sat, Jan 23, 2016 at 7:55 AM, Dag-Erling Smørgravwrote: > Julian Elischer writes: > > what is the internal window size in the new ssh? > > 64 kB. > > DES > -- > Dag-Erling Smørgrav - d...@des.no Are you sure of this? I have not looked at the code, but my former colleagues at the high performance research network ESnet claim at http://fasterdata.es.net/data-transfer-tools/say-no-to-scp/ that the internal buffers and effective window size have recently been increased from 64KB to 1MB an allow for transfer rates of up to 140 Mbps over a link with 53 ms. latency. With the HPN patches, they report 1.2 Gbps, making HPN patches still significant over high latency paths. That said, scp still performed poorly when compared to other technologies (i.e. GridFTP) for bulk data transfer over high-latency high-bandwidth links. (ESnet provides links of up to 400 Gbps between the US and Europe as well as within the US, so this sort of thing is quite important to them.) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
Julian Elischerwrites: > what is the internal window size in the new ssh? 64 kB. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
On 01/23/16 09:15, Kevin Oberman wrote: > Are you sure of this? I have not looked at the code, but my former > colleagues at the high performance research network ESnet claim at > http://fasterdata.es.net/data-transfer-tools/say-no-to-scp/ that the > internal buffers and effective window size have recently been increased > from 64KB to 1MB an allow for transfer rates of up to 140 Mbps over a link > with 53 ms. latency. With the HPN patches, they report 1.2 Gbps, making HPN > patches still significant over high latency paths. DES wrote: > The buffer code in 7.1 > supports dynamically-sized buffers with a hard limit of 128 MB. The > default window size for client sessions is 2 MB, or 1 MB if associated > with a tty. I'm not sure what the maximum size is. I'll try to do some cross-country or trans-Atlantic testing this weekend or next week, using a mix of ssh versions and HPN-patched versus not (and CentOS vs. FreeBSD vs. possibly Debian unstable with the 4.2+ kernel as yet another degree of freedom). I'll see what basic results I can get and we can update fasterdata.es.net as necessary. > That said, scp still performed poorly when compared to other technologies > (i.e. GridFTP) for bulk data transfer over high-latency high-bandwidth > links. (ESnet provides links of up to 400 Gbps between the US and Europe as > well as within the US, so this sort of thing is quite important to them.) That it is! > scp is a horrible protocol, use sftp or (preferably) rsync over ssh. I still think over ssh transport is lousy for bulk-data transfers, but it is the one thing that's generally installed by default on every OS and and is allowed by many firewalls. And, of course, it encrypts in flight. Certainly gridFTP, aspera (if you can afford it!) and other packages optimized for bulk data transfer will work better. michael ESnet ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
Kevin Obermanwrites: > Dag-Erling Smørgrav writes: > > Julian Elischer writes: > > > what is the internal window size in the new ssh? > > 64 kB. > Are you sure of this? Sorry, I was thinking of 6.6 (in stable/10). The buffer code in 7.1 supports dynamically-sized buffers with a hard limit of 128 MB. The default window size for client sessions is 2 MB, or 1 MB if associated with a tty. I'm not sure what the maximum size is. Note that scp, sftp etc. count as client sessions. X11 and agent forwarding use different (smaller) windows which improve latency at the cost of throughput. > [...] scp still performed poorly when compared to other technologies scp is a horrible protocol, use sftp or (preferably) rsync over ssh. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
HPN and None options in OpenSSH
The HPN and None cipher patches have been removed from FreeBSD-CURRENT. I intend to remove them from FreeBSD-STABLE this weekend. The HPN patches were of limited usefulness and required a great deal of effort to maintain in our tree. The None cipher patch was less onerous, but it was a terrible idea with a very small user base since it was a compile-time option and off by default. The HPN-related configuration variables have been marked deprecated, while those related to the None cipher have been marked unsupported. This means that the former will be accepted with a warning, whereas the latter will result in an error. Most users will not be affected by this change. Those who are should switch to the openssh-portable port, which still offers both patches, with HPN enabled by default. It is expected that FreeBSD 10.3 will ship with OpenSSH 7.1p2, with a number of modifications intended to reduce the impact of upstream changes on existing systems. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: HPN and None options in OpenSSH
On 22/01/2016 10:31 PM, Dag-Erling Smørgrav wrote: The HPN and None cipher patches have been removed from FreeBSD-CURRENT. I intend to remove them from FreeBSD-STABLE this weekend. The HPN patches were of limited usefulness and required a great deal of effort to maintain in our tree. The None cipher patch was less onerous, but it was a terrible idea with a very small user base since it was a compile-time option and off by default. The HPN-related configuration variables have been marked deprecated, while those related to the None cipher have been marked unsupported. This means that the former will be accepted with a warning, whereas the latter will result in an error. Most users will not be affected by this change. Those who are should switch to the openssh-portable port, which still offers both patches, with HPN enabled by default. It is expected that FreeBSD 10.3 will ship with OpenSSH 7.1p2, with a number of modifications intended to reduce the impact of upstream changes on existing systems. what is the internal window size in the new ssh? DES ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"