Re: HPN and None options in OpenSSH

2016-01-25 Thread Slawa Olhovchenkov 
On Mon, Jan 25, 2016 at 12:28:20PM +0100, Jan Bramkamp wrote:

> 
> 
> On 24/01/16 15:50, Dag-Erling Smørgrav wrote:
> > Slawa Olhovchenkov  writes:
> >> Can you do some small discurs about ssh+kerberos?
> >> I am try to use FreeBSD with $HOME over kerberoized NFS.
> >> For kerberoized NFS gssd need to find cache file "called
> >> /tmp/krb5cc_, where  is the effective uid for the RPC
> >> caller" (from `man gssd`).
> >>
> >> sshd contrary create cache file for received ticket called
> >> /tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is
> >> this strong security  requirement or [FreeBSD/upstream] can be patched
> >> (or introduce option) to use /tmp/krb5cc_ as cache file for
> >> received ticket?
> >
> > I wasn't aware of that.  It should be easy to patch, but in the
> > meantime, you can try something like this in .bashrc or whatever:
> >
> > krb5cc_uid="/tmp/krb5cc_$(id -u)"
> > if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then
> >  if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then
> >  export KRB5CCNAME="${krb5ccuid}"
> >  else
> >  echo "Unable to rename krb5 credential cache" >&2
> >  fi
> > fi
> > unset krb5ccuid
> 
> If $KRB5CCNAME is set during PAM session setup than the pam_exec module 
> might allow a reliable implementation along those lines:
> 
>- Stop if $KRBCCNAME is invalid (klist -t)
>- Stop if /tmp/krb5cc_$UID is already valid and has enough time left
>- Copy the ticket to /tmp and rename it to /tmp/krb5cc_$UID.
> 
> Keep in mind that this approach leaves valid tickets in /tmp after the 
> SSH session ends while OpenSSH normally does its best to tie forwarded 
> tickets to a SSH session.

Please check me: you propose to add to /etc/pam.d/sshd string like

session requiredpam_exec.so /patch/to/some/scripts

and do above checks in this scripts?

'session' executed after 'account' phase, on 'account' phase NFS must
be already accessed (for checks presents some files in $HOME and
importing/executing/interpretating, like .login_conf, .k5login and
etc).

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-25 Thread Jan Bramkamp 



On 24/01/16 15:50, Dag-Erling Smørgrav wrote:

Slawa Olhovchenkov  writes:

Can you do some small discurs about ssh+kerberos?
I am try to use FreeBSD with $HOME over kerberoized NFS.
For kerberoized NFS gssd need to find cache file "called
/tmp/krb5cc_, where  is the effective uid for the RPC
caller" (from `man gssd`).

sshd contrary create cache file for received ticket called
/tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is
this strong security  requirement or [FreeBSD/upstream] can be patched
(or introduce option) to use /tmp/krb5cc_ as cache file for
received ticket?


I wasn't aware of that.  It should be easy to patch, but in the
meantime, you can try something like this in .bashrc or whatever:

krb5cc_uid="/tmp/krb5cc_$(id -u)"
if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then
 if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then
 export KRB5CCNAME="${krb5ccuid}"
 else
 echo "Unable to rename krb5 credential cache" >&2
 fi
fi
unset krb5ccuid


If $KRB5CCNAME is set during PAM session setup than the pam_exec module 
might allow a reliable implementation along those lines:


  - Stop if $KRBCCNAME is invalid (klist -t)
  - Stop if /tmp/krb5cc_$UID is already valid and has enough time left
  - Copy the ticket to /tmp and rename it to /tmp/krb5cc_$UID.

Keep in mind that this approach leaves valid tickets in /tmp after the 
SSH session ends while OpenSSH normally does its best to tie forwarded 
tickets to a SSH session.

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-24 Thread Slawa Olhovchenkov 
On Fri, Jan 22, 2016 at 03:31:22PM +0100, Dag-Erling Smørgrav wrote:

> The HPN and None cipher patches have been removed from FreeBSD-CURRENT.
> I intend to remove them from FreeBSD-STABLE this weekend.

Can you do some small discurs about ssh+kerberos?
I am try to use FreeBSD with $HOME over kerberoized NFS.
For kerberoized NFS gssd need to find cache file "called
/tmp/krb5cc_, where  is the effective uid for the RPC
caller" (from `man gssd`).

sshd contrary create cache file for received ticket called
/tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is
this strong security  requirement or [FreeBSD/upstream] can be patched
(or introduce option) to use /tmp/krb5cc_ as cache file for
received ticket?
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-24 Thread Slawa Olhovchenkov 
On Sun, Jan 24, 2016 at 03:50:45PM +0100, Dag-Erling Smørgrav wrote:

> Slawa Olhovchenkov  writes:
> > Can you do some small discurs about ssh+kerberos?
> > I am try to use FreeBSD with $HOME over kerberoized NFS.
> > For kerberoized NFS gssd need to find cache file "called
> > /tmp/krb5cc_, where  is the effective uid for the RPC
> > caller" (from `man gssd`).
> >
> > sshd contrary create cache file for received ticket called
> > /tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is
> > this strong security  requirement or [FreeBSD/upstream] can be patched
> > (or introduce option) to use /tmp/krb5cc_ as cache file for
> > received ticket?
> 
> I wasn't aware of that.  It should be easy to patch, but in the

Yes, I am already do ugly patch for me (2 files need to patch), but patch in
upstream preffered.

> meantime, you can try something like this in .bashrc or whatever:

Imposible. For accessing .bashrc on kerberoized NFS need correct 
/tmp/krb5cc_.

> krb5cc_uid="/tmp/krb5cc_$(id -u)"
> if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then
> if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then
> export KRB5CCNAME="${krb5ccuid}"
> else
> echo "Unable to rename krb5 credential cache" >&2
> fi
> fi
> unset krb5ccuid
> 
> DES
> -- 
> Dag-Erling Smørgrav - d...@des.no
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-24 Thread Slawa Olhovchenkov 
On Sun, Jan 24, 2016 at 04:21:17PM +0100, Dag-Erling Smørgrav wrote:

> Slawa Olhovchenkov  writes:
> > OK, what about tcsh, zsh, fish and scp/sftp?
> 
> I apologize for trying to help you out by suggesting a hack that works
> at least some of the time until I can get a permanent fix in.  I should
> instead have hopped in my time machine, jumped back a few years, and
> fixed the bug before it affected you.  No hard feelings?

Sorry about not clear exposition.
I think this is not hack nor permanent solution and decline
modification ssh source.

I am already have working solution (localy apllied patch at time `make
release`). 

I can show my ugly patch, but I think his partially not clear and not
all edge cases checked.


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-24 Thread Dag-Erling Smørgrav 
Slawa Olhovchenkov  writes:
> Can you do some small discurs about ssh+kerberos?
> I am try to use FreeBSD with $HOME over kerberoized NFS.
> For kerberoized NFS gssd need to find cache file "called
> /tmp/krb5cc_, where  is the effective uid for the RPC
> caller" (from `man gssd`).
>
> sshd contrary create cache file for received ticket called
> /tmp/krb5cc_XXX (random string, created by krb5_cc_new_unique). Is
> this strong security  requirement or [FreeBSD/upstream] can be patched
> (or introduce option) to use /tmp/krb5cc_ as cache file for
> received ticket?

I wasn't aware of that.  It should be easy to patch, but in the
meantime, you can try something like this in .bashrc or whatever:

krb5cc_uid="/tmp/krb5cc_$(id -u)"
if [ -n "${KRB5CCNAME}" -a "${KRB5CCNAME}" != "${krb5ccuid}" ] ; then
if mv "${KRB5CCNAME}" "${krb5ccuid}" ; then
export KRB5CCNAME="${krb5ccuid}"
else
echo "Unable to rename krb5 credential cache" >&2
fi
fi
unset krb5ccuid

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-24 Thread Dag-Erling Smørgrav 
Slawa Olhovchenkov  writes:
> Dag-Erling Smørgrav  writes:
> > In the meantime, you can try something like this in .bashrc or
> > whatever:
> Imposible. For accessing .bashrc on kerberoized NFS need correct
> /tmp/krb5cc_.

/etc/profile, then.

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-24 Thread Slawa Olhovchenkov 
On Sun, Jan 24, 2016 at 04:09:05PM +0100, Dag-Erling Smørgrav wrote:

> Slawa Olhovchenkov  writes:
> > Dag-Erling Smørgrav  writes:
> > > In the meantime, you can try something like this in .bashrc or
> > > whatever:
> > Imposible. For accessing .bashrc on kerberoized NFS need correct
> > /tmp/krb5cc_.
> 
> /etc/profile, then.

OK, what about tcsh, zsh, fish and scp/sftp?
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-24 Thread Dag-Erling Smørgrav 
Slawa Olhovchenkov  writes:
> OK, what about tcsh, zsh, fish and scp/sftp?

I apologize for trying to help you out by suggesting a hack that works
at least some of the time until I can get a permanent fix in.  I should
instead have hopped in my time machine, jumped back a few years, and
fixed the bug before it affected you.  No hard feelings?

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-23 Thread Kevin Oberman 
On Sat, Jan 23, 2016 at 7:55 AM, Dag-Erling Smørgrav  wrote:

> Julian Elischer  writes:
> > what is the internal window size in the new ssh?
>
> 64 kB.
>
> DES
> --
> Dag-Erling Smørgrav - d...@des.no


Are you sure of this? I have not looked at the code, but my former
colleagues at the high performance research network ESnet claim at
http://fasterdata.es.net/data-transfer-tools/say-no-to-scp/  that the
internal buffers and effective window size have recently been increased
from 64KB to 1MB an allow for transfer rates of up to 140 Mbps over a link
with 53 ms. latency. With the HPN patches, they report 1.2 Gbps, making HPN
patches still significant over high latency paths.

That said, scp still performed poorly when compared to other technologies
(i.e. GridFTP) for bulk data transfer over high-latency high-bandwidth
links. (ESnet provides links of up to 400 Gbps between the US and Europe as
well as within the US, so this sort of thing is quite important to them.)
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkober...@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-23 Thread Dag-Erling Smørgrav 
Julian Elischer  writes:
> what is the internal window size in the new ssh?

64 kB.

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-23 Thread Michael Sinatra 
On 01/23/16 09:15, Kevin Oberman wrote:

> Are you sure of this? I have not looked at the code, but my former
> colleagues at the high performance research network ESnet claim at
> http://fasterdata.es.net/data-transfer-tools/say-no-to-scp/  that the
> internal buffers and effective window size have recently been increased
> from 64KB to 1MB an allow for transfer rates of up to 140 Mbps over a link
> with 53 ms. latency. With the HPN patches, they report 1.2 Gbps, making HPN
> patches still significant over high latency paths.

DES wrote:

>  The buffer code in 7.1
> supports dynamically-sized buffers with a hard limit of 128 MB.  The
> default window size for client sessions is 2 MB, or 1 MB if associated
> with a tty.  I'm not sure what the maximum size is. 

I'll try to do some cross-country or trans-Atlantic testing this weekend
or next week, using a mix of ssh versions and HPN-patched versus not
(and CentOS vs. FreeBSD vs. possibly Debian unstable with the 4.2+
kernel as yet another degree of freedom).  I'll see what basic results I
can get and we can update fasterdata.es.net as necessary.

> That said, scp still performed poorly when compared to other technologies
> (i.e. GridFTP) for bulk data transfer over high-latency high-bandwidth
> links. (ESnet provides links of up to 400 Gbps between the US and Europe as
> well as within the US, so this sort of thing is quite important to them.)

That it is!

> scp is a horrible protocol, use sftp or (preferably) rsync over ssh.

I still think  over ssh transport is lousy for bulk-data
transfers, but it is the one thing that's generally installed by default
on every OS and and is allowed by many firewalls.  And, of course, it
encrypts in flight.  Certainly gridFTP, aspera (if you can afford it!)
and other packages optimized for bulk data transfer will work better.

michael
ESnet

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-23 Thread Dag-Erling Smørgrav 
Kevin Oberman  writes:
> Dag-Erling Smørgrav  writes:
> > Julian Elischer  writes:
> > > what is the internal window size in the new ssh?
> > 64 kB.
> Are you sure of this?

Sorry, I was thinking of 6.6 (in stable/10).  The buffer code in 7.1
supports dynamically-sized buffers with a hard limit of 128 MB.  The
default window size for client sessions is 2 MB, or 1 MB if associated
with a tty.  I'm not sure what the maximum size is.  Note that scp, sftp
etc. count as client sessions.  X11 and agent forwarding use different
(smaller) windows which improve latency at the cost of throughput.

> [...] scp still performed poorly when compared to other technologies

scp is a horrible protocol, use sftp or (preferably) rsync over ssh.

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

HPN and None options in OpenSSH

2016-01-22 Thread Dag-Erling Smørgrav 
The HPN and None cipher patches have been removed from FreeBSD-CURRENT.
I intend to remove them from FreeBSD-STABLE this weekend.

The HPN patches were of limited usefulness and required a great deal of
effort to maintain in our tree.  The None cipher patch was less onerous,
but it was a terrible idea with a very small user base since it was a
compile-time option and off by default.

The HPN-related configuration variables have been marked deprecated,
while those related to the None cipher have been marked unsupported.
This means that the former will be accepted with a warning, whereas the
latter will result in an error.

Most users will not be affected by this change.  Those who are should
switch to the openssh-portable port, which still offers both patches,
with HPN enabled by default.

It is expected that FreeBSD 10.3 will ship with OpenSSH 7.1p2, with a
number of modifications intended to reduce the impact of upstream
changes on existing systems.

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: HPN and None options in OpenSSH

2016-01-22 Thread Julian Elischer 

On 22/01/2016 10:31 PM, Dag-Erling Smørgrav wrote:

The HPN and None cipher patches have been removed from FreeBSD-CURRENT.
I intend to remove them from FreeBSD-STABLE this weekend.

The HPN patches were of limited usefulness and required a great deal of
effort to maintain in our tree.  The None cipher patch was less onerous,
but it was a terrible idea with a very small user base since it was a
compile-time option and off by default.

The HPN-related configuration variables have been marked deprecated,
while those related to the None cipher have been marked unsupported.
This means that the former will be accepted with a warning, whereas the
latter will result in an error.

Most users will not be affected by this change.  Those who are should
switch to the openssh-portable port, which still offers both patches,
with HPN enabled by default.

It is expected that FreeBSD 10.3 will ship with OpenSSH 7.1p2, with a
number of modifications intended to reduce the impact of upstream
changes on existing systems.

what is the internal window size in the new ssh?


DES


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"