Re: OpenSSH HPN
On Tue, Nov 24, 2015 at 09:29:44PM +0100, Aaron Zauner wrote: > Hi, > > Please forgive my ignorance but what's the reason FreeBSD ships > OpenSSH patched with HPN by default? Besides my passion for > security, I've been working in the HPC sector for a while and > benchmarked the patch for a customer about 1.5 years ago. The > CTR-multi threading patch is actually *slower* than upstream OpenSSH > with AES in CTR mode. GCM being, of course, the fastest mode on > AESNI plattforms. We never imported the AES bits as they were broken and AESNI was available. > The NULL mode is a security concern as some have noted, I can only > imagine that the window-scaling patch is of such importance? Both NULL and window-scaling were merged because both are useful in some environments. -- Brooks signature.asc Description: PGP signature
Re: OpenSSH HPN
On 1/12/2015 3:23 AM, Brooks Davis wrote: On Tue, Nov 24, 2015 at 09:29:44PM +0100, Aaron Zauner wrote: Hi, Please forgive my ignorance but what's the reason FreeBSD ships OpenSSH patched with HPN by default? Besides my passion for security, I've been working in the HPC sector for a while and benchmarked the patch for a customer about 1.5 years ago. The CTR-multi threading patch is actually *slower* than upstream OpenSSH with AES in CTR mode. GCM being, of course, the fastest mode on AESNI plattforms. We never imported the AES bits as they were broken and AESNI was available. The NULL mode is a security concern as some have noted, I can only imagine that the window-scaling patch is of such importance? Both NULL and window-scaling were merged because both are useful in some environments. yeah but Null was just unmerged. window scaling is also on the block I think -- Brooks ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Hi, Please forgive my ignorance but what's the reason FreeBSD ships OpenSSH patched with HPN by default? Besides my passion for security, I've been working in the HPC sector for a while and benchmarked the patch for a customer about 1.5 years ago. The CTR-multi threading patch is actually *slower* than upstream OpenSSH with AES in CTR mode. GCM being, of course, the fastest mode on AESNI plattforms. The NULL mode is a security concern as some have noted, I can only imagine that the window-scaling patch is of such importance? Thanks, Aaron signature.asc Description: Digital signature
Re: OpenSSH HPN
On 2015-11-14 02:47, John-Mark Gurney wrote: > Allan Jude wrote this message on Thu, Nov 12, 2015 at 17:57 -0500: >> On 2015-11-12 12:56, John-Mark Gurney wrote: >>> Allan Jude wrote this message on Thu, Nov 12, 2015 at 12:15 -0500: On 2015-11-11 19:06, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > >> On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: >>> I would also like to remove the NONE cipher >>> patch, which is also available in the port (off by default, just like in >>> base). >> >> Fun fact, it's been broken in the port for several months with no >> complaints. It was just reported and fixed upstream in the last day and >> I wrote in a similar fix in the port. That speaks a lot about its usage >> in the port currently. > > I am try using NPH/NONE with base ssh and confused: don't see > performance rise, too complex to enable and too complex for use. I did a few quick (and dirty) benchmarks and it shows that the NONE cipher definitely makes a difference. Version of OpenSSL also seems to make a difference, as one might expect. Note: openssh from ports seems to link against both base and ports libcrypto, I am still trying to make sure this isn't corrupting my benchmark results. >>> >>> You don't need the aesni.ko module loaded for OpenSSL (which is how >>> OpenSSH uses most crypto algos) to use AES-NI.. >>> >>> Also, do you set any sysctl's to play w/ the buffer sizes or anything? >>> I am still debugging my dummynet setup to be able to prove that HPN makes a difference (but it does). >>> >>> Does my example on the page not work for you? >>> https://wiki.freebsd.org/SSHPerf >>> >> >> I found that when I set even 5ms of delay with dummynet, bandwidth over >> the LAN drops more than it should. Dummynet is limiting the rate rather >> than just adding the delay. I am investigating. >> >> I found this document: >> http://www.cs.unc.edu/~jeffay/dirt/FAQ/hstcp-howto.pdf >> >> Which is from the 6.x era, but suggests: >> >> "One subtle bug exists in the stock Dummynet implementation that should >> be corrected for experiments. When a packet arrives in dummynet it is >> shoved into a queue which limits the bandwidth a TCP flow may use. Upon >> exit from the queue, the packet is transferred to a pipe where it sits >> for any configured amount of delay time and might possibly be dropped >> depending on the loss probability. Once the delay time has passed, the >> packet is released to ip output." >> >> May be the cause of my problem > > Ahhh, probably need to adjust: > net.inet.ip.dummynet.pipe_byte_limit: 1048576 > net.inet.ip.dummynet.pipe_slot_limit: 100 > > But even w/ the above limits and 5ms, you should still be able to push > 200MB/sec... > I worked with Hiren and some of his dtrace magic and figured out that dummynet was not my issue. I didn't end up needing to change the dummynet pipe slot/byte limit in order to get the full 10gig/sec even with 100ms delay from dummynet. You just need to adjust: net.inet.tcp.sendbuf_max=BDP net.inet.tcp.recvbuf_max=BDP kern.ipc.maxsockbuf= ( BDP * (2048+256) ) / 2048 for a 50ms RTT: BDP = 10gbps * .05 = ~60mb It can also greatly help to increase: net.inet.tcp.abc_l_var Which is how many additional segments the CWNDs is incremented by each RTT during slow-start. I am still working on my set of benchmarks to show what different HPN makes with different RTT values, as well as what might be required to achieve max throughput for SSH over both LAN and the internet. (For my company, we regularly transmit 500GB ZFS datasets over the public internet on 1gbps or 2x1gbps connections) -- Allan Jude signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
Ok, some new testing... nc w/ 8MB sockbuf and {send,recv}buf_max can get over 50MB/sec using nc and a 100ms RTT.. Guess it's a good day... The hickups that I see look to be a buffer overrun on the tap or bridge interface, as I did see some errors, and on the sender side, the TCP protocol stats showed some retransmits.. A quick recap of the info below at 50ms RTT: server client HEAD w/ HPN stock 7.1p1 HEAD w/ HPN 1MB/sec 6.5MB/sec stock 7.1p1 2MB/sec 7MB/sec TL;DR: HPN patches hurt no matter how you look at things... client HEAD w/ HPN, the tcpwinsz is always 66608 the server HEAD w/ HPN, the rcvd adjust is always 49152 the server stock 7.1p1, the rcvd adjust is always 131072 client HPN: OpenSSH_6.6.1p1, OpenSSL 1.0.1m-freebsd 19 Mar 2015 client stock: OpenSSH_7.1p1, OpenSSL 1.0.1m-freebsd 19 Mar 2015 server HPN: OpenSSH_6.6.1p1, OpenSSL 1.0.1o-freebsd 12 Jun 2015 server stock: OpenSSH_7.1p1, OpenSSL 1.0.1o-freebsd 12 Jun 2015 All tests below were done w/ a 25ms pipe delay, resulting in a 50ms RTT... Baseline nc results in ~55MB/sec, but this is cpu limited by bhyve... The dual stock 7.1p is only using about a quarter of the cpu, so not at all cpu limited... Proto Recv-Q Send-Q Local Address Foreign AddressR-MBUF S-MBUF R-CLUS S-CLUS R-HIWA S-HIWA R-LOWA S-LOWA R-BCNT S-BCNT R-BMAX S-BMAX rexmt persistkeep2msl delack rcvtime tcp4 0 2851352 192.168.0.21.44972 192.168.0.50.3845 0 1052 0 1043 66608 2851352 1 2048 0 4262912 532864 8388608 0.260.00 7199.990.000.000.00 I forgot about -vvv... So, w/ HEAD ssh (w/ HPN) on both sides, the transmitter, I see lots of: debug2: channel 0: rcvd adjust 49152 debug2: tcpwinsz: 66608 for connection: 3 debug2: tcpwinsz: 66608 for connection: 3 debug2: tcpwinsz: 66608 for connection: 3 debug2: tcpwinsz: 66608 for connection: 3 debug2: tcpwinsz: 66608 for connection: 3 And the send-q is 49312: Proto Recv-Q Send-Q Local Address Foreign AddressR-MBUF S-MBUF R-CLUS S-CLUS R-HIWA S-HIWA R-LOWA S-LOWA R-BCNT S-BCNT R-BMAX S-BMAX rexmt persistkeep2msl delack rcvtime tcp4 0 49312 192.168.0.21.51135 192.168.0.50.22 0 15 0 13 66608 98840 1 2048 0 55040 532864 7907200.21 0.00 7199.950.000.000.04 And adjusting the delay to 0 shows ssh getting 50MB/sec, so it should be possible... adjusting the delay shows a linear change in bandwidth (200ms -> 500KB/sec, 100ms -> 1MB/sec, 50ms -> 2MB/sec), so looks like ssh is artifically limitting the window... If I run w/ stock, compiled from source, OpenSSH 7.1p1 on the server side (receiver side) and HEAD ssh on client side, I get ~6.5MB/sec.. w/ -vvv I see: debug2: channel 0: rcvd adjust 131072 debug2: tcpwinsz: 66608 for connection: 3 debug2: tcpwinsz: 66608 for connection: 3 debug2: tcpwinsz: 66608 for connection: 3 [this line repeated tons of times] In this case, I do see the send-q stay at around 229912: Proto Recv-Q Send-Q Local Address Foreign AddressR-MBUF S-MBUF R-CLUS S-CLUS R-HIWA S-HIWA R-LOWA S-LOWA R-BCNT S-BCNT R-BMAX S-BMAX rexmt persistkeep2msl delack rcvtime tcp4 0 229912 192.168.0.21.55975 192.168.0.50.22 0 77 0 77 66608 229912 1 2048 0 316672 532864 18392960.24 0.00 7199.990.000.000.00 With compiled from source, OpenSSH 7.1.p1 on both sides, I get around 7MB/sec and -vvv gives: debug2: channel 0: rcvd adjust 131072 And the send-q stays around 229912: Proto Recv-Q Send-Q Local Address Foreign AddressR-MBUF S-MBUF R-CLUS S-CLUS R-HIWA S-HIWA R-LOWA S-LOWA R-BCNT S-BCNT R-BMAX S-BMAX rexmt persistkeep2msl delack rcvtime tcp4 0 229912 192.168.0.21.10699 192.168.0.50.22 0 80 0 80 66608 229912 1 2048 0 339968 532864 18392960.25 0.00 7199.990.000.000.00 With compiled from source on the client, and HEAD OpenSSH w/ HPN on the server side, 2MB/sec, -vvv shows: debug2: channel 0: rcvd adjust 49152 and the send-q stays around 49296: Proto Recv-Q Send-Q Local Address Foreign AddressR-MBUF S-MBUF R-CLUS S-CLUS R-HIWA S-HIWA R-LOWA S-LOWA R-BCNT S-BCNT R-BMAX S-BMAX rexmt persistkeep2msl delack rcvtime tcp4 0 49296 192.168.0.21.43918 192.168.0.50.22 0 15 0 13 66608 98840 1 2048 0 55040 532864 7907200.20 0.00 7199.950.000.000.04 /etc/ssh/ssh{,d}_config are all stock (except PermitRootLogin is yes on the VM), and the client side's .ssh/config only contains a single commented out line... P.S. I've had two panics on the dummynet box (running nc) the last being: Fatal trap 9: general protection fault while in kernel mode cpuid = 0; apic id = 00 instruction pointer =
Re: OpenSSH HPN
Allan Jude wrote this message on Sat, Nov 14, 2015 at 11:53 -0500: > On 2015-11-14 02:47, John-Mark Gurney wrote: > > Allan Jude wrote this message on Thu, Nov 12, 2015 at 17:57 -0500: > >> On 2015-11-12 12:56, John-Mark Gurney wrote: > >>> Allan Jude wrote this message on Thu, Nov 12, 2015 at 12:15 -0500: > On 2015-11-11 19:06, Slawa Olhovchenkov wrote: > > On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > > > >> On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > >>> I would also like to remove the NONE cipher > >>> patch, which is also available in the port (off by default, just like > >>> in > >>> base). > >> > >> Fun fact, it's been broken in the port for several months with no > >> complaints. It was just reported and fixed upstream in the last day and > >> I wrote in a similar fix in the port. That speaks a lot about its usage > >> in the port currently. > > > > I am try using NPH/NONE with base ssh and confused: don't see > > performance rise, too complex to enable and too complex for use. > > I did a few quick (and dirty) benchmarks and it shows that the NONE > cipher definitely makes a difference. Version of OpenSSL also seems to > make a difference, as one might expect. > > Note: openssh from ports seems to link against both base and ports > libcrypto, I am still trying to make sure this isn't corrupting my > benchmark results. > >>> > >>> You don't need the aesni.ko module loaded for OpenSSL (which is how > >>> OpenSSH uses most crypto algos) to use AES-NI.. > >>> > >>> Also, do you set any sysctl's to play w/ the buffer sizes or anything? > >>> > I am still debugging my dummynet setup to be able to prove that HPN > makes a difference (but it does). > >>> > >>> Does my example on the page not work for you? > >>> > https://wiki.freebsd.org/SSHPerf > >>> > >> > >> I found that when I set even 5ms of delay with dummynet, bandwidth over > >> the LAN drops more than it should. Dummynet is limiting the rate rather > >> than just adding the delay. I am investigating. > >> > >> I found this document: > >> http://www.cs.unc.edu/~jeffay/dirt/FAQ/hstcp-howto.pdf > >> > >> Which is from the 6.x era, but suggests: > >> > >> "One subtle bug exists in the stock Dummynet implementation that should > >> be corrected for experiments. When a packet arrives in dummynet it is > >> shoved into a queue which limits the bandwidth a TCP flow may use. Upon > >> exit from the queue, the packet is transferred to a pipe where it sits > >> for any configured amount of delay time and might possibly be dropped > >> depending on the loss probability. Once the delay time has passed, the > >> packet is released to ip output." > >> > >> May be the cause of my problem > > > > Ahhh, probably need to adjust: > > net.inet.ip.dummynet.pipe_byte_limit: 1048576 > > net.inet.ip.dummynet.pipe_slot_limit: 100 > > > > But even w/ the above limits and 5ms, you should still be able to push > > 200MB/sec... > > I worked with Hiren and some of his dtrace magic and figured out that > dummynet was not my issue. I didn't end up needing to change the > dummynet pipe slot/byte limit in order to get the full 10gig/sec even > with 100ms delay from dummynet. > > You just need to adjust: > > net.inet.tcp.sendbuf_max=BDP > net.inet.tcp.recvbuf_max=BDP > > kern.ipc.maxsockbuf= ( BDP * (2048+256) ) / 2048 > > for a 50ms RTT: > > BDP = 10gbps * .05 = ~60mb I forgot to include _max adjustments on the page (the maxsockbuf was there), but in all of my tests, I can't get close to that.. In my case, I can demonstrate 20MB/sec+ over the link, and w/ a 100ms RTT, that'd be a 2MB buffer size, and even when I increase these to 8MB, and increase kern.ipc.maxsockbuf to 8MB too (otherwise _max is meaningless), I still get 1.5MB/sec, not even close... I do notice w/ nc that it'll slowly increase, and then suddenly back off, just to closely increase again... I wonder if there is some issue w/ TSO or tap that is causing issues... > It can also greatly help to increase: > net.inet.tcp.abc_l_var > > Which is how many additional segments the CWNDs is incremented by each > RTT during slow-start. > > > I am still working on my set of benchmarks to show what different HPN > makes with different RTT values, as well as what might be required to > achieve max throughput for SSH over both LAN and the internet. > > (For my company, we regularly transmit 500GB ZFS datasets over the > public internet on 1gbps or 2x1gbps connections) -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Allan Jude wrote this message on Thu, Nov 12, 2015 at 17:57 -0500: > On 2015-11-12 12:56, John-Mark Gurney wrote: > > Allan Jude wrote this message on Thu, Nov 12, 2015 at 12:15 -0500: > >> On 2015-11-11 19:06, Slawa Olhovchenkov wrote: > >>> On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > >>> > On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > > I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). > > Fun fact, it's been broken in the port for several months with no > complaints. It was just reported and fixed upstream in the last day and > I wrote in a similar fix in the port. That speaks a lot about its usage > in the port currently. > >>> > >>> I am try using NPH/NONE with base ssh and confused: don't see > >>> performance rise, too complex to enable and too complex for use. > >> > >> I did a few quick (and dirty) benchmarks and it shows that the NONE > >> cipher definitely makes a difference. Version of OpenSSL also seems to > >> make a difference, as one might expect. > >> > >> Note: openssh from ports seems to link against both base and ports > >> libcrypto, I am still trying to make sure this isn't corrupting my > >> benchmark results. > > > > You don't need the aesni.ko module loaded for OpenSSL (which is how > > OpenSSH uses most crypto algos) to use AES-NI.. > > > > Also, do you set any sysctl's to play w/ the buffer sizes or anything? > > > >> I am still debugging my dummynet setup to be able to prove that HPN > >> makes a difference (but it does). > > > > Does my example on the page not work for you? > > > >> https://wiki.freebsd.org/SSHPerf > > > > I found that when I set even 5ms of delay with dummynet, bandwidth over > the LAN drops more than it should. Dummynet is limiting the rate rather > than just adding the delay. I am investigating. > > I found this document: > http://www.cs.unc.edu/~jeffay/dirt/FAQ/hstcp-howto.pdf > > Which is from the 6.x era, but suggests: > > "One subtle bug exists in the stock Dummynet implementation that should > be corrected for experiments. When a packet arrives in dummynet it is > shoved into a queue which limits the bandwidth a TCP flow may use. Upon > exit from the queue, the packet is transferred to a pipe where it sits > for any configured amount of delay time and might possibly be dropped > depending on the loss probability. Once the delay time has passed, the > packet is released to ip output." > > May be the cause of my problem Ahhh, probably need to adjust: net.inet.ip.dummynet.pipe_byte_limit: 1048576 net.inet.ip.dummynet.pipe_slot_limit: 100 But even w/ the above limits and 5ms, you should still be able to push 200MB/sec... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Bryan Drewerywrites: > It's harder to maintain the port version due to how the patches are > applied and generated. I have the diametrically opposite experience. The workflow for ports is significantly simpler than for base. Perhaps I should set up a paralell workflow for OpenSSH and apply the output of that workflow to the source tree instead of working entirely within the source tree. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 2015-11-12 12:56, John-Mark Gurney wrote: > Allan Jude wrote this message on Thu, Nov 12, 2015 at 12:15 -0500: >> On 2015-11-11 19:06, Slawa Olhovchenkov wrote: >>> On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: >>> On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). Fun fact, it's been broken in the port for several months with no complaints. It was just reported and fixed upstream in the last day and I wrote in a similar fix in the port. That speaks a lot about its usage in the port currently. >>> >>> I am try using NPH/NONE with base ssh and confused: don't see >>> performance rise, too complex to enable and too complex for use. >> >> I did a few quick (and dirty) benchmarks and it shows that the NONE >> cipher definitely makes a difference. Version of OpenSSL also seems to >> make a difference, as one might expect. >> >> Note: openssh from ports seems to link against both base and ports >> libcrypto, I am still trying to make sure this isn't corrupting my >> benchmark results. > > You don't need the aesni.ko module loaded for OpenSSL (which is how > OpenSSH uses most crypto algos) to use AES-NI.. > > Also, do you set any sysctl's to play w/ the buffer sizes or anything? > >> I am still debugging my dummynet setup to be able to prove that HPN >> makes a difference (but it does). > > Does my example on the page not work for you? > >> https://wiki.freebsd.org/SSHPerf > I found that when I set even 5ms of delay with dummynet, bandwidth over the LAN drops more than it should. Dummynet is limiting the rate rather than just adding the delay. I am investigating. I found this document: http://www.cs.unc.edu/~jeffay/dirt/FAQ/hstcp-howto.pdf Which is from the 6.x era, but suggests: "One subtle bug exists in the stock Dummynet implementation that should be corrected for experiments. When a packet arrives in dummynet it is shoved into a queue which limits the bandwidth a TCP flow may use. Upon exit from the queue, the packet is transferred to a pipe where it sits for any configured amount of delay time and might possibly be dropped depending on the loss probability. Once the delay time has passed, the packet is released to ip output." May be the cause of my problem -- Allan Jude signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
On Thu, 12 Nov 2015, Dewayne Geraghty wrote: > Heimdal is (and has been for some time) undergoing constant development. > For reasons unknown, they do not perform releases. I am aware of updates > from heimdal that are being applied to the samba project (in fact some of > the samba developers are also feeding into heimdal). The latest discussion > was that the heimdal project are going to release a 1.7 "sometime", > skipping 1.6 completely. Things seem to have slowed down a lot since the lead Heimdal developer got hired for Apple. They have Apple-internal changes that don't necessarily make their way back to the public project right away, and he is quite busy. There is no one who is employed to be a Heimdal release manager, and the main developers all have other projects -- putting out a release takes a fair bit of energy. MIT employs developers whose job descriptions include being the krb5 release manager, so there is financial support for putting out regular releases. Heimdal has changed plans to a 1.7 release because certain Linux distributions packaged a snapshot of the 1.6 tree (to support Samba, as I understand it), but then Heimdal development continued so that what would be in the next release would not really reflect what was already deployed using the 1.6 label. As I understand it, there are still a couple bugfixes/features that are considered to be blockers for the 1.7 release that have not been implemented yet, and since the developers in question are being paid to work on other things, there is no real timeline for the release. -Ben Kaduk ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/12/15 3:28 AM, Brooks Davis wrote: On Tue, Nov 10, 2015 at 04:40:42PM -0800, Bryan Drewery wrote: On 11/10/15 1:42 AM, Dag-Erling Sm??rgrav wrote: Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintaining the HPN patches. They are extensive, very intrusive, and touch parts of the OpenSSH code that change significantly in every release. Since they are not regularly updated, I have to choose between trying to resolve the conflicts myself (hoping I don't break anything) or waiting for them to catch up and then figuring out how to apply the new version. Therefore, I would like to remove the HPN patches from base and refer anyone who really needs them to the openssh-portable port, which has them as a default option. I would also like to remove the NONE cipher patch, which is also available in the port (off by default, just like in base). I had this same problem as well, but have since reworked the HPN patch for ports to be more easily maintained. I've considered offering or just updating the base SSH, but have not since we have random changes in the HPN functionality in base that would be lost. We for some reason decided we were going to maintain our own version and not even upstream the changes to the HPN authors which has contributed to this situation. We had ever intention of upstreaming our cleaned up HPN patches and some interest from OpenSSH devs to take the window scaling portion of the patch upstream, but other things intruded and we never found time to complete that work. I think both the window scaling and NONE cipher changes are useful, but do not have time to do anything with them. I'm fine with them being removed from base and replaced or just dropped if they are in the way of progress. it would be nice if the outcome of this thread was that HPN patches (or something equivalent) were available by default in OpenSSH. WE also have our own patch we add to give a NODELAY option. It made a huge difference with tunnels where lots of small RPC packets were being sent. I'll look at getting it into upstream. -- Brooks ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Benjamin Kadukwrites: > Things seem to have slowed down a lot since the lead Heimdal developer > got hired for Apple. [...] MIT employs developers whose job > descriptions include being the krb5 release manager [...] Heimdal has > changed plans to a 1.7 release [...] and since the developers in > question are being paid to work on other things, there is no real > timeline for the release. Given this state of affairs, it might not be unreasonable to consider switching back for 11. There should be enough time, provided our Kerberos maintainers have some spare cycles. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Slawa, Heimdal is (and has been for some time) undergoing constant development. For reasons unknown, they do not perform releases. I am aware of updates from heimdal that are being applied to the samba project (in fact some of the samba developers are also feeding into heimdal). The latest discussion was that the heimdal project are going to release a 1.7 "sometime", skipping 1.6 completely. Des - good to make your intentions public. I've enjoyed your youtube presentations and recognise that your time will be better spent. ( better authentication perhaps ;) ) Bryan - is doing a good job of looking after the openssh port. And if folks really need those additional features, then that is the place to enhance the "standard" offering; which can be upgraded in a pretty straightforward manner. Thought-provoking use of inetd perhaps its time to revisit as (an additional) DOS measure(?) Regards, Dewayne. PS My apologies for the repetition Slawa, I meant to reply all earlier. I'm recently becoming familiar with the gmail interface. On Thu, Nov 12, 2015 at 5:44 AM, Slawa Olhovchenkovwrote: > On Wed, Nov 11, 2015 at 07:18:31PM +0100, Dag-Erling Smørgrav wrote: > > > Slawa Olhovchenkov writes: > > > Can you explain what is problem? > > > > Radical suggestion: read the first email in the thread. > > I am read and don't understund (you talk about trouble of maintaining > the HPN patches). > I see patched version in ports. This version maintaining. > What is problem? Differnt openssh? Quality of patches? > Different branches? > ports branch is worse (by some reaason) base branch? > > > > PS: As I today know, kerberos heimdal is practicaly dead as opensource > > > project. Have FreeBSD planed switch to MIT Kerberos? I am know about > > > security/krb5. > > > > We switched from MIT to Heimdal at some point in the past for some > > reason I don't remember. MIT and Heimdal are *not* interchangeable at > > I think because MIT stop development in the past. > > > the source or binary level, so switching back is not trivial. > > I am know about this. > ___ > freebsd-secur...@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org > " > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/12/15 5:32 AM, Bryan Drewery wrote: On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: I would also like to remove the NONE cipher patch, which is also available in the port (off by default, just like in base). Fun fact, it's been broken in the port for several months with no complaints. It was just reported and fixed upstream in the last day and I wrote in a similar fix in the port. That speaks a lot about its usage in the port currently. we use it all the time, we just don't update all that often. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Thu, Nov 12, 2015 at 12:15:35PM -0500, Allan Jude wrote: > On 2015-11-11 19:06, Slawa Olhovchenkov wrote: > > On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > > > >> On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > >>> I would also like to remove the NONE cipher > >>> patch, which is also available in the port (off by default, just like in > >>> base). > >> > >> Fun fact, it's been broken in the port for several months with no > >> complaints. It was just reported and fixed upstream in the last day and > >> I wrote in a similar fix in the port. That speaks a lot about its usage > >> in the port currently. > > > > I am try using NPH/NONE with base ssh and confused: don't see > > performance rise, too complex to enable and too complex for use. > > > > ___ > > freebsd-current@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > > > > I did a few quick (and dirty) benchmarks and it shows that the NONE > cipher definitely makes a difference. Version of OpenSSL also seems to > make a difference, as one might expect. > > Note: openssh from ports seems to link against both base and ports > libcrypto, I am still trying to make sure this isn't corrupting my > benchmark results. > > I am still debugging my dummynet setup to be able to prove that HPN > makes a difference (but it does). > > https://wiki.freebsd.org/SSHPerf I see you test NONE only on OpenSSH_7.1p1/1.0.2d. I am try OpenSSH_6.6.1p1./1.0.1p (both side) I am got about 500Mbit/s. For OpenSSH_6.6.1p1/NONE I am got abot same. I am don't see this combination in you table (OpenSSH_6.6.1p1./1.0.1p ix0 OpenSSH_6.6.1p1./1.0.1p) ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Allan Jude wrote this message on Thu, Nov 12, 2015 at 12:15 -0500: > On 2015-11-11 19:06, Slawa Olhovchenkov wrote: > > On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > > > >> On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > >>> I would also like to remove the NONE cipher > >>> patch, which is also available in the port (off by default, just like in > >>> base). > >> > >> Fun fact, it's been broken in the port for several months with no > >> complaints. It was just reported and fixed upstream in the last day and > >> I wrote in a similar fix in the port. That speaks a lot about its usage > >> in the port currently. > > > > I am try using NPH/NONE with base ssh and confused: don't see > > performance rise, too complex to enable and too complex for use. > > I did a few quick (and dirty) benchmarks and it shows that the NONE > cipher definitely makes a difference. Version of OpenSSL also seems to > make a difference, as one might expect. > > Note: openssh from ports seems to link against both base and ports > libcrypto, I am still trying to make sure this isn't corrupting my > benchmark results. You don't need the aesni.ko module loaded for OpenSSL (which is how OpenSSH uses most crypto algos) to use AES-NI.. Also, do you set any sysctl's to play w/ the buffer sizes or anything? > I am still debugging my dummynet setup to be able to prove that HPN > makes a difference (but it does). Does my example on the page not work for you? > https://wiki.freebsd.org/SSHPerf -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Thu, Nov 12, 2015 at 12:51:30PM -0500, Allan Jude wrote: > On 2015-11-12 12:44, Slawa Olhovchenkov wrote: > > On Thu, Nov 12, 2015 at 12:15:35PM -0500, Allan Jude wrote: > > > >> On 2015-11-11 19:06, Slawa Olhovchenkov wrote: > >>> On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > >>> > On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > > I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). > > Fun fact, it's been broken in the port for several months with no > complaints. It was just reported and fixed upstream in the last day and > I wrote in a similar fix in the port. That speaks a lot about its usage > in the port currently. > >>> > >>> I am try using NPH/NONE with base ssh and confused: don't see > >>> performance rise, too complex to enable and too complex for use. > >>> > >>> ___ > >>> freebsd-current@freebsd.org mailing list > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current > >>> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > >>> > >> > >> I did a few quick (and dirty) benchmarks and it shows that the NONE > >> cipher definitely makes a difference. Version of OpenSSL also seems to > >> make a difference, as one might expect. > >> > >> Note: openssh from ports seems to link against both base and ports > >> libcrypto, I am still trying to make sure this isn't corrupting my > >> benchmark results. > >> > >> I am still debugging my dummynet setup to be able to prove that HPN > >> makes a difference (but it does). > >> > >> https://wiki.freebsd.org/SSHPerf > > > > I see you test NONE only on OpenSSH_7.1p1/1.0.2d. > > I am try OpenSSH_6.6.1p1./1.0.1p (both side) > > I am got about 500Mbit/s. > > For OpenSSH_6.6.1p1/NONE I am got abot same. > > > > I am don't see this combination in you table (OpenSSH_6.6.1p1./1.0.1p ix0 > > OpenSSH_6.6.1p1./1.0.1p) > > > > If NONE is actually being used, big warnings will be printed to your screen: > > WARNING: ENABLED NONE CIPHER > WARNING: ENABLED NONE CIPHER > > If you don't see this, NONE is not being used. I am see this, of couse. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 2015-11-12 12:44, Slawa Olhovchenkov wrote: > On Thu, Nov 12, 2015 at 12:15:35PM -0500, Allan Jude wrote: > >> On 2015-11-11 19:06, Slawa Olhovchenkov wrote: >>> On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: >>> On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). Fun fact, it's been broken in the port for several months with no complaints. It was just reported and fixed upstream in the last day and I wrote in a similar fix in the port. That speaks a lot about its usage in the port currently. >>> >>> I am try using NPH/NONE with base ssh and confused: don't see >>> performance rise, too complex to enable and too complex for use. >>> >>> ___ >>> freebsd-current@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current >>> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" >>> >> >> I did a few quick (and dirty) benchmarks and it shows that the NONE >> cipher definitely makes a difference. Version of OpenSSL also seems to >> make a difference, as one might expect. >> >> Note: openssh from ports seems to link against both base and ports >> libcrypto, I am still trying to make sure this isn't corrupting my >> benchmark results. >> >> I am still debugging my dummynet setup to be able to prove that HPN >> makes a difference (but it does). >> >> https://wiki.freebsd.org/SSHPerf > > I see you test NONE only on OpenSSH_7.1p1/1.0.2d. > I am try OpenSSH_6.6.1p1./1.0.1p (both side) > I am got about 500Mbit/s. > For OpenSSH_6.6.1p1/NONE I am got abot same. > > I am don't see this combination in you table (OpenSSH_6.6.1p1./1.0.1p ix0 > OpenSSH_6.6.1p1./1.0.1p) > If NONE is actually being used, big warnings will be printed to your screen: WARNING: ENABLED NONE CIPHER WARNING: ENABLED NONE CIPHER If you don't see this, NONE is not being used. -- Allan Jude signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
On 2015-11-11 19:06, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > >> On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: >>> I would also like to remove the NONE cipher >>> patch, which is also available in the port (off by default, just like in >>> base). >> >> Fun fact, it's been broken in the port for several months with no >> complaints. It was just reported and fixed upstream in the last day and >> I wrote in a similar fix in the port. That speaks a lot about its usage >> in the port currently. > > I am try using NPH/NONE with base ssh and confused: don't see > performance rise, too complex to enable and too complex for use. > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > I did a few quick (and dirty) benchmarks and it shows that the NONE cipher definitely makes a difference. Version of OpenSSL also seems to make a difference, as one might expect. Note: openssh from ports seems to link against both base and ports libcrypto, I am still trying to make sure this isn't corrupting my benchmark results. I am still debugging my dummynet setup to be able to prove that HPN makes a difference (but it does). https://wiki.freebsd.org/SSHPerf -- Allan Jude signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
Bryan Drewerywrites: > Actually I am missing the client-side VersionAddendum support (ssh.c). I > only have server-side (sshd.c). This is just due to lack of motivation > to import the changes. Pretty sure I sent Damien the patch a few years ago... There was also a bug in the server-side code (IIRC, one place where it printed only the hardcoded version instead of the variable string). I'll try again. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Wednesday, 11 November 2015, John-Mark Gurneywrote: > Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > > I have to agree that there are cases when the NONE cipher makes sense, > and > > it is up to the end user to make sure they know what they are doing. > > > > Personally I have used it at home to backup my old FreeBSD server (which > > does not have AESNI) over a dedicated network connection to a backup > server > > using rsync/ssh. Since it was not possible for anyone else to be on that > > local network, and the server was so old it didn't have AESNI and would > > soon be retired, using the NONE cipher sped up the transfer > significantly. > > If you have a trusted network, why not just use nc? > Honest answer: ignorance of how I can use netcat together with rsync. -- -- From: Benjamin Woods woods...@gmail.com ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/10/15 5:42 PM, Dag-Erling Smørgrav wrote: Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintaining the HPN patches. They are extensive, very intrusive, and touch parts of the OpenSSH code that change significantly in every release. Since they are not regularly updated, I have to choose between trying to resolve the conflicts myself (hoping I don't break anything) or waiting for them to catch up and then figuring out how to apply the new version. Therefore, I would like to remove the HPN patches from base and refer anyone who really needs them to the openssh-portable port, which has them as a default option. I would also like to remove the NONE cipher patch, which is also available in the port (off by default, just like in base). DES The inclusion of the HPN patches meant that we could drop a custom unsupported HPN enabled ssh from our build process. It makes ssh actually usable. Without it we need to keep integrating HPN ever time ssh is upgraded. We were SO HAPPY when it came in by default. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/10/15 7:16 PM, Dag-Erling Smørgrav wrote: Bob Bishopwrites: Is removing HPN going to impact the performance of tunnelled X connexions? yes if your rtt is greater than about 85 mSec I don't know he details but I noticed a big difference. I had thought X wouldn't show much difference but in fact it did. At work we had to add HPN to get anything like acceptable performance on various tunnels our appliance uses. I don't think so. It mostly affects the performance of long unidirectional streams (file transfers) whereas the X protocol, as far as I know, is a bidirectional exchange of relatively short messages. It may make a difference for applications that transfer large textures... I don't really know enough about the X protocol to say for certain, but I am typing this in Emacs over a non-HPN SSH connection, and I regularly tunnel Firefox between the same two machines (RHEL 7 desktop at work and FreeBSD 10 desktop at home). DES ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
For a fast transfer of large files see sysutils/bbcp. It uses ssh to establish authorized connection, then does a transfer over multiple parallel TCP sessions by itself. If data encryption is needed, combine it with security/hpenc Mark ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: > >> Bryan Drewerywrites: >>> Another thing that I did with the port was restore the tcpwrapper >>> support that upstream removed. Again, if we decide it is not worth >>> keeping in base I will remove it as default in the port. >> >> I want to keep tcpwrapper support - it is another reason why I still >> haven't upgraded OpenSSH, but to the best of my knowledge, it is far >> less intrusive than HPN. > > Can you explain what is problem? > I am see openssh in base and openssh in ports (more recent version) > with same functionaly patches. > You talk about trouble to upgrade. What is root? > openssh in base have different vendor and/or license? > Or something else? > > PS: As I today know, kerberos heimdal is practicaly dead as opensource > project. Have FreeBSD planed switch to MIT Kerberos? > I am know about security/krb5. > IMHO the problem comes down to time. Patching an upstream project increases maintenance cost for upgrading it. Every patch adds up. When you become busy and don't have time to pay attention to every little change made in a release, hearing 'removed tcpwrappers support' or 'refactored the code for libssh usage' makes it sound like 1 more thing you must deal with to upgrade that code base and more effort to validate that your patches are right. We obviously don't want to just drop in the latest code and throw it out there as broken. SSH is quite critical and we want to ensure our changes are still right, and that doing something like adding tcpwrappers back in won't introduce some security bug that upstream was coy about. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
On 11/11/2015 1:04 AM, Dag-Erling Smørgrav wrote: > Ben Woodswrites: >> Personally I have used it at home to backup my old FreeBSD server >> (which does not have AESNI) over a dedicated network connection to a >> backup server using rsync/ssh. Since it was not possible for anyone >> else to be on that local network, and the server was so old it didn't >> have AESNI and would soon be retired, using the NONE cipher sped up >> the transfer significantly. > > In that scenario, you don't need ssh at all. Just set up rsyncd on the > backup server. > Yes, it's more a matter of convenience with key management. I admit that after some recent changes I've made I did resort to using the base SSH and rsync:// to achieve my backups over VPN out of not wanting to customize the the new system further with the port version or rebuilding base. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
On 11/10/2015 3:48 AM, Dag-Erling Smørgrav wrote: > Willem Jan Withagenwrites: >> "Dag-Erling Smørgrav" writes: >>> Willem Jan Withagen writes: Are they still willing to accept changes to the old version that is currently in base? >>> No, why would they do that? >> Exactly my question I guess I misinterpreted your suggestion on >> upstreaming patches. > > I didn't suggest submitting patches, I suggested submitting a feature > request. Damien is generally pretty open to suggestions. > My own experience here has been positive, both with patches, feature suggestion, and general discussion. The upstream is more open than people may think. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
Daniel Kalchevwrites: > I must have missed the explanation. But why having a NONE cypher > compiled in, but disabled in the configuration is a bad idea? It increases the cost of maintaining OpenSSH in base noticeably without providing real value unless you are one of the few people who need HPN and lack the CPU power to perform encryption at line speed. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Slawa Olhovchenkovwrites: > Can you explain what is problem? Radical suggestion: read the first email in the thread. > PS: As I today know, kerberos heimdal is practicaly dead as opensource > project. Have FreeBSD planed switch to MIT Kerberos? I am know about > security/krb5. We switched from MIT to Heimdal at some point in the past for some reason I don't remember. MIT and Heimdal are *not* interchangeable at the source or binary level, so switching back is not trivial. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/11/2015 1:23 AM, Dag-Erling Smørgrav wrote: > Bryan Drewerywrites: >> Actually I am missing the client-side VersionAddendum support (ssh.c). I >> only have server-side (sshd.c). This is just due to lack of motivation >> to import the changes. > > Pretty sure I sent Damien the patch a few years ago... There was also a > bug in the server-side code (IIRC, one place where it printed only the > hardcoded version instead of the variable string). I'll try again. > By the way, I may have come off wrong. I'm willing to do the work to update the base version and put it out for review if you would like. Another thing that I did with the port was restore the tcpwrapper support that upstream removed. Again, if we decide it is not worth keeping in base I will remove it as default in the port. I honestly don't have a strong opinion on keeping or removing HPN. It is afterall available in the port and I intend to keep it as an option there. The question is just what the default is. I prefer to keep the port close to the base version by default options. I never liked the idea of having 2 different things in the ecosystem that behave differently, from OpenSSL to OpenSSH, etc. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
Bryan Drewerywrites: > Another thing that I did with the port was restore the tcpwrapper > support that upstream removed. Again, if we decide it is not worth > keeping in base I will remove it as default in the port. I want to keep tcpwrapper support - it is another reason why I still haven't upgraded OpenSSH, but to the best of my knowledge, it is far less intrusive than HPN. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: > Bryan Drewerywrites: > > Another thing that I did with the port was restore the tcpwrapper > > support that upstream removed. Again, if we decide it is not worth > > keeping in base I will remove it as default in the port. > > I want to keep tcpwrapper support - it is another reason why I still > haven't upgraded OpenSSH, but to the best of my knowledge, it is far > less intrusive than HPN. Can you explain what is problem? I am see openssh in base and openssh in ports (more recent version) with same functionaly patches. You talk about trouble to upgrade. What is root? openssh in base have different vendor and/or license? Or something else? PS: As I today know, kerberos heimdal is practicaly dead as opensource project. Have FreeBSD planed switch to MIT Kerberos? I am know about security/krb5. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/11/2015 8:51 AM, Dag-Erling Smørgrav wrote: > Bryan Drewerywrites: >> Another thing that I did with the port was restore the tcpwrapper >> support that upstream removed. Again, if we decide it is not worth >> keeping in base I will remove it as default in the port. > > I want to keep tcpwrapper support - it is another reason why I still > haven't upgraded OpenSSH, but to the best of my knowledge, it is far > less intrusive than HPN. > Yes, it's very small. /usr/ports/security/openssh-portable/files/extra-patch-tcpwrappers -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
On 11/11/2015 7:49 AM, Daniel Kalchev wrote: > It is my understanding, that using the NONE cypher is not identical to using > “the old tools” (rsh/rlogin/rcp). > > When ssh uses the NONE cypher, credentials and authorization are still > encrypted and verified. Only the actual data payload is not encrypted. > > Perhaps similar level of security could be achieved by “the old tools” if > they were by default compiled with Kerberos. Although, this still requires > building additional infrastructure. > > I must have missed the explanation. But why having a NONE cypher compiled in, > but disabled in the configuration is a bad idea? My reasoning for wanting SSH/SCP with NONE is precisely because of the ssh key support. It simplifies a lot to be able to use the same key over a VPN and not over the VPN to connect to the same system. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
> On 11 Nov 2015, at 16:53 , Bryan Drewerywrote: > > On 11/11/2015 8:51 AM, Dag-Erling Smørgrav wrote: >> Bryan Drewery writes: >>> Another thing that I did with the port was restore the tcpwrapper >>> support that upstream removed. Again, if we decide it is not worth >>> keeping in base I will remove it as default in the port. >> >> I want to keep tcpwrapper support - it is another reason why I still >> haven't upgraded OpenSSH, but to the best of my knowledge, it is far >> less intrusive than HPN. >> > > Yes, it's very small. > /usr/ports/security/openssh-portable/files/extra-patch-tcpwrappers And thanks to both of you for keeping it. It’s often the best you can get if you have machines which run w/o firewalls. Just wanted to say “thanks”! /bz ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/11/15 7:56 PM, Dag-Erling Smørgrav wrote: Julian Elischerwrites: The inclusion of the HPN patches meant that we could drop a custom unsupported HPN enabled ssh from our build process. It makes ssh actually usable. Define "usable". Does it actually make a measurable difference with the latest OpenSSH? And if HPN is so important to you, is there a reason why you can't use the port? useable.. able to use more than 5% of the available bandwidth. Our environment is not freeBSD exactly. many ports won't compile and we don't have ports in our setup (I didn't do it.. don't blame me) But we do and can compile FreeBSD sourcers so ssh from src is an easy recompile or just a binary drop in. We used to do it by hand from sources ftp'd from OpenBSD and compiled straight (no ports), but since it came to have HPN all that went away because the in-tree one worked for us. Now we'll have to resurrect all that framework and pain. have you mentioned this plan to Brooks? Didn't he add it? DES ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Tue, Nov 10, 2015 at 09:52:16AM -0800, John-Mark Gurney wrote: > Dag-Erling Smrgrav wrote this message on Tue, Nov 10, 2015 at 10:42 +0100: > > Therefore, I would like to remove the HPN patches from base and refer > > anyone who really needs them to the openssh-portable port, which has > > them as a default option. I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). > > My vote is to remove the HPN patches. First, the NONE cipher made more > sense back when we didn't have AES-NI widely available, and you were > seriously limited by it's performance. Now we have both aes-gcm and > chacha-poly which it's performance should be more than acceptable for > today's uses (i.e. cipher performance is 2GB/sec+). > > Second, I did some testing recently due to a thread on -net, and I > found no significant (not run statistically though) difference in > performance between in HEAD ssh and OpenSSH 7.1p1. I started a wiki > page to talk about this: > https://wiki.freebsd.org/SSHPerf Hmm, I see in this page max speed 20MB/sec. This is too small. What is problem? With modern 40G NIC wanted speed about 20Gbit/s. 10Gbit/s at least. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Tue, Nov 10, 2015 at 11:59:30PM -0800, John-Mark Gurney wrote: > Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > > On Wednesday, 11 November 2015, Bryan Drewerywrote: > > > > > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > > > My vote is to remove the HPN patches. First, the NONE cipher made more > > > > sense back when we didn't have AES-NI widely available, and you were > > > > seriously limited by it's performance. Now we have both aes-gcm and > > > > chacha-poly which it's performance should be more than acceptable for > > > > today's uses (i.e. cipher performance is 2GB/sec+). > > > > > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > > > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > > > for me. > > > > I have to agree that there are cases when the NONE cipher makes sense, and > > it is up to the end user to make sure they know what they are doing. > > > > Personally I have used it at home to backup my old FreeBSD server (which > > does not have AESNI) over a dedicated network connection to a backup server > > using rsync/ssh. Since it was not possible for anyone else to be on that > > local network, and the server was so old it didn't have AESNI and would > > soon be retired, using the NONE cipher sped up the transfer significantly. > > If you have a trusted network, why not just use nc? I think you kidding: - scp need only one command on initiator side and no additional setup on target. simple, well know. - nc need additional work on target, need synchronization for file names with target, also need ssh to target for start, etc... Too complex. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Julian Elischerwrites: > Bob Bishop writes: > > Is removing HPN going to impact the performance of tunnelled X > > connexions? > yes if your rtt is greater than about 85 mSec With an RTT of 85 ms, X is unusable with or without HPN. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Julian Elischerwrites: > Now we'll have to resurrect all that framework and pain. I guess pain is fine as long as it's not yours... > have you mentioned this plan to Brooks? Didn't he add it? These are public lists, but by all means, mention it to him if he hasn't noticed this thread. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
It is my understanding, that using the NONE cypher is not identical to using “the old tools” (rsh/rlogin/rcp). When ssh uses the NONE cypher, credentials and authorization are still encrypted and verified. Only the actual data payload is not encrypted. Perhaps similar level of security could be achieved by “the old tools” if they were by default compiled with Kerberos. Although, this still requires building additional infrastructure. I must have missed the explanation. But why having a NONE cypher compiled in, but disabled in the configuration is a bad idea? Daniel > On 11.11.2015 г., at 10:55, Jason Birchwrote: > > On Wed, Nov 11, 2015 at 6:59 PM, John-Mark Gurney wrote: >> If you have a trusted network, why not just use nc? > > Perhaps more generally relevant is that ssh/scp are *waves hands* vaguely > analogous to secure versions of rsh/rlogin/rcp. I'd think that most cases > of "I wanted to send files and invoke some commands on a remote machine, > and due to $CIRCUMSTANCE I don't need or desire encryption" are covered > by the older, also standard tools. Additionally, rsync can use rsh as its > transport, for users who desire more advanced behaviour. ssh just seems > to have more support; Installation will ask you if you'd like to run sshd > (not rshd), ssh is rather ubiquitous as a way of "doing a thing remotely" > (even in Windows soon!), etc. This is a good default to have; the > overhead of security is tiny in nearly all cases. > > It would seem then that the extra complexity of maintenance development > in supporting NONE in base doesn't really grant us any additional > functionality in most cases. It's just more 'obvious'. > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Wed, Nov 11, 2015 at 6:59 PM, John-Mark Gurneywrote: > If you have a trusted network, why not just use nc? Perhaps more generally relevant is that ssh/scp are *waves hands* vaguely analogous to secure versions of rsh/rlogin/rcp. I'd think that most cases of "I wanted to send files and invoke some commands on a remote machine, and due to $CIRCUMSTANCE I don't need or desire encryption" are covered by the older, also standard tools. Additionally, rsync can use rsh as its transport, for users who desire more advanced behaviour. ssh just seems to have more support; Installation will ask you if you'd like to run sshd (not rshd), ssh is rather ubiquitous as a way of "doing a thing remotely" (even in Windows soon!), etc. This is a good default to have; the overhead of security is tiny in nearly all cases. It would seem then that the extra complexity of maintenance development in supporting NONE in base doesn't really grant us any additional functionality in most cases. It's just more 'obvious'. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Ben Woodswrites: > Personally I have used it at home to backup my old FreeBSD server > (which does not have AESNI) over a dedicated network connection to a > backup server using rsync/ssh. Since it was not possible for anyone > else to be on that local network, and the server was so old it didn't > have AESNI and would soon be retired, using the NONE cipher sped up > the transfer significantly. In that scenario, you don't need ssh at all. Just set up rsyncd on the backup server. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Julian Elischerwrites: > The inclusion of the HPN patches meant that we could drop a custom > unsupported HPN enabled ssh from our build process. It makes ssh > actually usable. Define "usable". Does it actually make a measurable difference with the latest OpenSSH? And if HPN is so important to you, is there a reason why you can't use the port? DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/11/15 09:27, Ben Woods wrote: On Wednesday, 11 November 2015, John-Mark Gurneywrote: Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: I have to agree that there are cases when the NONE cipher makes sense, and it is up to the end user to make sure they know what they are doing. Personally I have used it at home to backup my old FreeBSD server (which does not have AESNI) over a dedicated network connection to a backup server using rsync/ssh. Since it was not possible for anyone else to be on that local network, and the server was so old it didn't have AESNI and would soon be retired, using the NONE cipher sped up the transfer significantly. If you have a trusted network, why not just use nc? Honest answer: ignorance of how I can use netcat together with rsync. Sounds like you're looking for rsyncd instead of rsync over ssh (minus encryption). ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
kereros telnet/rlogin/etc. (was Re: OpenSSH HPN)
On Wed, 11 Nov 2015, Daniel Kalchev wrote: > > Perhaps similar level of security could be achieved by “the old tools” > if they were by default compiled with Kerberos. Although, this still > requires building additional infrastructure. The kerberized versions of the old tools are basically unsupported upstream at this point. Telnet is actively insecure, being limited to single-DES; rlogin may be somewhat better but it's still not looking very good. ssh is better because it speaks GSS-API instead of raw kerberos, and can thus keeps up with newer crypto automatically. When I was working at MIT, I considered making a final release of the krb5-appl distribution, so as to include in the release announcement that they were not going to be supported further, but could not even bring myself to do that. They are not in Debian anymore, and I expect them to dwindle from other distributions, too. Let the "old tools" grow old and retire. -Ben ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Wed, Nov 11, 2015 at 10:18:08AM -0800, Bryan Drewery wrote: > On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: > > On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: > > > >> Bryan Drewerywrites: > >>> Another thing that I did with the port was restore the tcpwrapper > >>> support that upstream removed. Again, if we decide it is not worth > >>> keeping in base I will remove it as default in the port. > >> > >> I want to keep tcpwrapper support - it is another reason why I still > >> haven't upgraded OpenSSH, but to the best of my knowledge, it is far > >> less intrusive than HPN. > > > > Can you explain what is problem? > > I am see openssh in base and openssh in ports (more recent version) > > with same functionaly patches. > > You talk about trouble to upgrade. What is root? > > openssh in base have different vendor and/or license? > > Or something else? > > > > PS: As I today know, kerberos heimdal is practicaly dead as opensource > > project. Have FreeBSD planed switch to MIT Kerberos? > > I am know about security/krb5. > > > > IMHO the problem comes down to time. Patching an upstream project > increases maintenance cost for upgrading it. Every patch adds up. When > you become busy and don't have time to pay attention to every little > change made in a release, hearing 'removed tcpwrappers support' or > 'refactored the code for libssh usage' makes it sound like 1 more > thing you must deal with to upgrade that code base and more effort to > validate that your patches are right. We obviously don't want to just > drop in the latest code and throw it out there as broken. SSH is quite > critical and we want to ensure our changes are still right, and that > doing something like adding tcpwrappers back in won't introduce some > security bug that upstream was coy about. Some for as ports version? Or ports version different? Or port mantainer have more time (this is not to blame for DES)? I am just don't know what is different between port ssh and base ssh. We need ssh 6.x in base, not 7.x as in port (why?) and this is need independed work on pathes? I am missing somehow commonplace for others. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/11/2015 3:56 PM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 10:18:08AM -0800, Bryan Drewery wrote: > >> On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: >>> On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: >>> Bryan Drewerywrites: > Another thing that I did with the port was restore the tcpwrapper > support that upstream removed. Again, if we decide it is not worth > keeping in base I will remove it as default in the port. I want to keep tcpwrapper support - it is another reason why I still haven't upgraded OpenSSH, but to the best of my knowledge, it is far less intrusive than HPN. >>> >>> Can you explain what is problem? >>> I am see openssh in base and openssh in ports (more recent version) >>> with same functionaly patches. >>> You talk about trouble to upgrade. What is root? >>> openssh in base have different vendor and/or license? >>> Or something else? >>> >>> PS: As I today know, kerberos heimdal is practicaly dead as opensource >>> project. Have FreeBSD planed switch to MIT Kerberos? >>> I am know about security/krb5. >>> >> >> IMHO the problem comes down to time. Patching an upstream project >> increases maintenance cost for upgrading it. Every patch adds up. When >> you become busy and don't have time to pay attention to every little >> change made in a release, hearing 'removed tcpwrappers support' or >> 'refactored the code for libssh usage' makes it sound like 1 more >> thing you must deal with to upgrade that code base and more effort to >> validate that your patches are right. We obviously don't want to just >> drop in the latest code and throw it out there as broken. SSH is quite >> critical and we want to ensure our changes are still right, and that >> doing something like adding tcpwrappers back in won't introduce some >> security bug that upstream was coy about. > > Some for as ports version? > Or ports version different? > Or port mantainer have more time (this is not to blame for DES)? > I am just don't know what is different between port ssh and base ssh. > We need ssh 6.x in base, not 7.x as in port (why?) and this is need > independed work on pathes? > I am missing somehow commonplace for others. > I am the ports maintainer. That was my opinion on why OpenSSH falls behind. There is no real difference between the base and port version except that the port version has some more optional patches, and is easier to push updates for through ports and packages, rather than an Errata through freebsd-update or a full release to get to the latest OpenSSH version. There have been many times where the base version was more up-to-date than the port as well due to the lack of a maintainer or the previously mentioned patch blockers. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
On Wed, Nov 11, 2015 at 03:58:35PM -0800, Bryan Drewery wrote: > > Some for as ports version? > > Or ports version different? > > Or port mantainer have more time (this is not to blame for DES)? > > I am just don't know what is different between port ssh and base ssh. > > We need ssh 6.x in base, not 7.x as in port (why?) and this is need > > independed work on pathes? > > I am missing somehow commonplace for others. > > > > I am the ports maintainer. That was my opinion on why OpenSSH falls > behind. There is no real difference between the base and port version > except that the port version has some more optional patches, and is > easier to push updates for through ports and packages, rather than an > Errata through freebsd-update or a full release to get to the latest > OpenSSH version. This impact only to deploy, not to patch, right? Or bugs found around NPH/NONE patches? > There have been many times where the base version was more up-to-date > than the port as well due to the lack of a maintainer or the previously > mentioned patch blockers. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > > I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). > > Fun fact, it's been broken in the port for several months with no > complaints. It was just reported and fixed upstream in the last day and > I wrote in a similar fix in the port. That speaks a lot about its usage > in the port currently. I am try using NPH/NONE with base ssh and confused: don't see performance rise, too complex to enable and too complex for use. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/11/15 4:05 PM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 03:58:35PM -0800, Bryan Drewery wrote: > >>> Some for as ports version? >>> Or ports version different? >>> Or port mantainer have more time (this is not to blame for DES)? >>> I am just don't know what is different between port ssh and base ssh. >>> We need ssh 6.x in base, not 7.x as in port (why?) and this is need >>> independed work on pathes? >>> I am missing somehow commonplace for others. >>> >> >> I am the ports maintainer. That was my opinion on why OpenSSH falls >> behind. There is no real difference between the base and port version >> except that the port version has some more optional patches, and is >> easier to push updates for through ports and packages, rather than an >> Errata through freebsd-update or a full release to get to the latest >> OpenSSH version. > > This impact only to deploy, not to patch, right? It's harder to maintain the port version due to how the patches are applied and generated. That's only my problem though. > Or bugs found around NPH/NONE patches? > >> There have been many times where the base version was more up-to-date >> than the port as well due to the lack of a maintainer or the previously >> mentioned patch blockers. -- Regards, Bryan Drewery ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Wed, 11 Nov 2015, Dag-Erling Sm?rgrav wrote: I want to keep tcpwrapper support - it is another reason why I still haven't upgraded OpenSSH, but to the best of my knowledge, it is far less intrusive than HPN. There's also inetd's tcpwrapper support if you call sshd from inetd for D/DOS protection. Inetd and its rate-limiting flags are strongly recommended for security-minded systems. Starting sshd from rc.d should never have been made the default, IMO, as keygen delays are rarely relevant and weren't even back in the days of 300MHz CPUs (18 years ago). The only reason inetd is not more widely used today is that many sysadmins aren't familiar with it. Roger Marquis ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Ben Woods wrote this message on Wed, Nov 11, 2015 at 16:27 +0800: > On Wednesday, 11 November 2015, John-Mark Gurneywrote: > > > Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > > > I have to agree that there are cases when the NONE cipher makes sense, > > and > > > it is up to the end user to make sure they know what they are doing. > > > > > > Personally I have used it at home to backup my old FreeBSD server (which > > > does not have AESNI) over a dedicated network connection to a backup > > server > > > using rsync/ssh. Since it was not possible for anyone else to be on that > > > local network, and the server was so old it didn't have AESNI and would > > > soon be retired, using the NONE cipher sped up the transfer > > significantly. > > > > If you have a trusted network, why not just use nc? > > Honest answer: ignorance of how I can use netcat together with rsync. A quick google of rsync nc, turned up method 2 & 4 from: https://rsync.samba.org/firewall.html -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Wed, Nov 11, 2015 at 07:18:31PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkovwrites: > > Can you explain what is problem? > > Radical suggestion: read the first email in the thread. I am read and don't understund (you talk about trouble of maintaining the HPN patches). I see patched version in ports. This version maintaining. What is problem? Differnt openssh? Quality of patches? Different branches? ports branch is worse (by some reaason) base branch? > > PS: As I today know, kerberos heimdal is practicaly dead as opensource > > project. Have FreeBSD planed switch to MIT Kerberos? I am know about > > security/krb5. > > We switched from MIT to Heimdal at some point in the past for some > reason I don't remember. MIT and Heimdal are *not* interchangeable at I think because MIT stop development in the past. > the source or binary level, so switching back is not trivial. I am know about this. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Daniel Kalchev wrote this message on Wed, Nov 11, 2015 at 17:49 +0200: > It is my understanding, that using the NONE cypher is not identical to using > ???the old tools??? (rsh/rlogin/rcp). > > When ssh uses the NONE cypher, credentials and authorization are still > encrypted and verified. Only the actual data payload is not encrypted. Except the point is that you ALREADY trust your network, so you don't need to encrypt the credentials and authorizations, otherwise, why are you running unencrypted payloads? In fact, if you aren't running at least a MAC, or a final verify, and you're transfering large amounts of data (multiple gigabytes), the data can and will likely be corrupted... See: http://noahdavids.org/self_published/CRC_and_checksum.html Having not used the NONE cipher, I don't know if the MAC is also removed or not... Either way, the MAC is still the long poll when it comes to encryption w/ AES-NI... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Tue, Nov 10, 2015 at 04:40:42PM -0800, Bryan Drewery wrote: > On 11/10/15 1:42 AM, Dag-Erling Sm??rgrav wrote: > > Some of you may have noticed that OpenSSH in base is lagging far behind > > the upstream code. > > > > The main reason for this is the burden of maintaining the HPN patches. > > They are extensive, very intrusive, and touch parts of the OpenSSH code > > that change significantly in every release. Since they are not > > regularly updated, I have to choose between trying to resolve the > > conflicts myself (hoping I don't break anything) or waiting for them to > > catch up and then figuring out how to apply the new version. > > > > Therefore, I would like to remove the HPN patches from base and refer > > anyone who really needs them to the openssh-portable port, which has > > them as a default option. I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). > > I had this same problem as well, but have since reworked the HPN patch > for ports to be more easily maintained. I've considered offering or > just updating the base SSH, but have not since we have random changes in > the HPN functionality in base that would be lost. We for some reason > decided we were going to maintain our own version and not even upstream > the changes to the HPN authors which has contributed to this situation. We had ever intention of upstreaming our cleaned up HPN patches and some interest from OpenSSH devs to take the window scaling portion of the patch upstream, but other things intruded and we never found time to complete that work. I think both the window scaling and NONE cipher changes are useful, but do not have time to do anything with them. I'm fine with them being removed from base and replaced or just dropped if they are in the way of progress. -- Brooks signature.asc Description: PGP signature
Re: OpenSSH HPN
On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). Fun fact, it's been broken in the port for several months with no complaints. It was just reported and fixed upstream in the last day and I wrote in a similar fix in the port. That speaks a lot about its usage in the port currently. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > On Wednesday, 11 November 2015, Bryan Drewerywrote: > > > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > > My vote is to remove the HPN patches. First, the NONE cipher made more > > > sense back when we didn't have AES-NI widely available, and you were > > > seriously limited by it's performance. Now we have both aes-gcm and > > > chacha-poly which it's performance should be more than acceptable for > > > today's uses (i.e. cipher performance is 2GB/sec+). > > > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > > for me. > > I have to agree that there are cases when the NONE cipher makes sense, and > it is up to the end user to make sure they know what they are doing. > > Personally I have used it at home to backup my old FreeBSD server (which > does not have AESNI) over a dedicated network connection to a backup server > using rsync/ssh. Since it was not possible for anyone else to be on that > local network, and the server was so old it didn't have AESNI and would > soon be retired, using the NONE cipher sped up the transfer significantly. If you have a trusted network, why not just use nc? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote: > On 10-11-2015 12:11, Dag-Erling Smørgrav wrote: > > Willem Jan Withagenwrites: > >> Digging in my logfiles , and its things like: > >> sshd[84942]: Disconnecting: Too many authentication failures [preauth] > >> > >> So errors/warnings without IP-nr. > >> > >> And I think I fixed it on one server to also write: > >> error: maximum authentication attempts exceeded for root from > >> 173.254.203.88 port 1042 ssh2 [preauth] > > > > fail2ban should catch both of these since sshd will print a message for > > each failed authentication attempt before it prints a message about > > reaching the limit. > > It's already too long to remember the full facts, but when I was looking > at the parser in sshguard, I think I noticed that certain accesses > weren't logged and added some more logging rules to catch those. > > What I still have lingering is this snippet: > Index: crypto/openssh/packet.c > === > --- crypto/openssh/packet.c (revision 289060) > +++ crypto/openssh/packet.c (working copy) > @@ -1128,8 +1128,10 @@ > logit("Connection closed by %.200s", > get_remote_ipaddr()); > cleanup_exit(255); > } > - if (len < 0) > + if (len < 0) { > + logit("Read from socket failed: %.200s", > get_remote_ipaddr()); > fatal("Read from socket failed: %.100s", > strerror(errno)); > + } > /* Append it to the buffer. */ > packet_process_incoming(buf, len); > } > > But like I said: The code I found at openssh was so totally different > that I did not continued this track, but chose to start running openssh > from ports. Which does not generate warnings I have questions about the > originating ip-nr. > > >> Are they still willing to accept changes to the old version that is > >> currently in base? > > > > No, why would they do that? > > Exactly my question > I guess I misinterpreted your suggestion on upstreaming patches. > > --WjW > I honestly think everyone would be better served by porting blacklistd from NetBSD than trying to increase verbosity for log files. -- Mark Felder ports-secteam member f...@freebsd.org ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 2015-11-10 11:02, Mark Felder wrote: > > > On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote: >> On 10-11-2015 12:11, Dag-Erling Smørgrav wrote: >>> Willem Jan Withagenwrites: Digging in my logfiles , and its things like: sshd[84942]: Disconnecting: Too many authentication failures [preauth] So errors/warnings without IP-nr. And I think I fixed it on one server to also write: error: maximum authentication attempts exceeded for root from 173.254.203.88 port 1042 ssh2 [preauth] >>> >>> fail2ban should catch both of these since sshd will print a message for >>> each failed authentication attempt before it prints a message about >>> reaching the limit. >> >> It's already too long to remember the full facts, but when I was looking >> at the parser in sshguard, I think I noticed that certain accesses >> weren't logged and added some more logging rules to catch those. >> >> What I still have lingering is this snippet: >> Index: crypto/openssh/packet.c >> === >> --- crypto/openssh/packet.c (revision 289060) >> +++ crypto/openssh/packet.c (working copy) >> @@ -1128,8 +1128,10 @@ >> logit("Connection closed by %.200s", >> get_remote_ipaddr()); >> cleanup_exit(255); >> } >> - if (len < 0) >> + if (len < 0) { >> + logit("Read from socket failed: %.200s", >> get_remote_ipaddr()); >> fatal("Read from socket failed: %.100s", >> strerror(errno)); >> + } >> /* Append it to the buffer. */ >> packet_process_incoming(buf, len); >> } >> >> But like I said: The code I found at openssh was so totally different >> that I did not continued this track, but chose to start running openssh >> from ports. Which does not generate warnings I have questions about the >> originating ip-nr. >> Are they still willing to accept changes to the old version that is currently in base? >>> >>> No, why would they do that? >> >> Exactly my question >> I guess I misinterpreted your suggestion on upstreaming patches. >> >> --WjW >> > > I honestly think everyone would be better served by porting blacklistd > from NetBSD than trying to increase verbosity for log files. > > I have been using HPN + NONE for a few years and find them quite useful, but it is easier to install openssh-portable and run that than to recompile the base system to enable the NONE cipher, so I have no objection to removing the patches from base. The useful logging feature that comes with the newer version of openssh, is logging which SSH key the user authenticated with. -- Allan Jude signature.asc Description: OpenPGP digital signature
Re: OpenSSH HPN
Dag-Erling Smrgrav wrote this message on Tue, Nov 10, 2015 at 10:42 +0100: > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). My vote is to remove the HPN patches. First, the NONE cipher made more sense back when we didn't have AES-NI widely available, and you were seriously limited by it's performance. Now we have both aes-gcm and chacha-poly which it's performance should be more than acceptable for today's uses (i.e. cipher performance is 2GB/sec+). Second, I did some testing recently due to a thread on -net, and I found no significant (not run statistically though) difference in performance between in HEAD ssh and OpenSSH 7.1p1. I started a wiki page to talk about this: https://wiki.freebsd.org/SSHPerf Feel free to add to the page any more info. There are other apparent issues w/ ssh that keeps it's performance low on high latency links, but I haven't spend the time to figure out what they are, but in my testing HPN did not increase performance to make use of the fat but high latency link. So, if it's not increasing performance and making us fall behind, why bother with the trouble of keeping the patch? If someone is willing to spend the time doing benchmarks, and prove that the HPN patches do make a difference, I'm willing to work with them to figure out why my tests didn't work and change my vote. I also believe that the defaults should be enough, if you have to tune or enable features, then you can install from ports or compile yourself. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/10/15 1:42 AM, Dag-Erling Smørgrav wrote: Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintaining the HPN patches. They are extensive, very intrusive, and touch parts of the OpenSSH code that change significantly in every release. Since they are not regularly updated, I have to choose between trying to resolve the conflicts myself (hoping I don't break anything) or waiting for them to catch up and then figuring out how to apply the new version. Therefore, I would like to remove the HPN patches from base and refer anyone who really needs them to the openssh-portable port, which has them as a default option. I would also like to remove the NONE cipher patch, which is also available in the port (off by default, just like in base). My current employer is a big proponent of HPN (see http://fasterdata.es.net/data-transfer-tools/scp-and-sftp/). However, I agree that the difficulty of patching to the changing upstream is significant. Frankly, I am quite impressed that you have been able to keep up with it for this long. I would be more than happy if the HPN patches continued to be in the port version and base were able to keep up with the upstream by removing the HPN dependency. There will be some places where we will notice the difference in performance; in those cases we will install the HPN-patched port. michael ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Mark Felder wrote on 11/10/2015 17:02: [...] But like I said: The code I found at openssh was so totally different that I did not continued this track, but chose to start running openssh from ports. Which does not generate warnings I have questions about the originating ip-nr. Are they still willing to accept changes to the old version that is currently in base? No, why would they do that? Exactly my question I guess I misinterpreted your suggestion on upstreaming patches. --WjW I honestly think everyone would be better served by porting blacklistd from NetBSD than trying to increase verbosity for log files. I didn't know blacklistd. It seems very interesting. It would be nice if somebody will port it to FreeBSD. Miroslav Lachman ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
OpenSSH HPN
Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintaining the HPN patches. They are extensive, very intrusive, and touch parts of the OpenSSH code that change significantly in every release. Since they are not regularly updated, I have to choose between trying to resolve the conflicts myself (hoping I don't break anything) or waiting for them to catch up and then figuring out how to apply the new version. Therefore, I would like to remove the HPN patches from base and refer anyone who really needs them to the openssh-portable port, which has them as a default option. I would also like to remove the NONE cipher patch, which is also available in the port (off by default, just like in base). DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 10/11/2015 8:42 PM, Dag-Erling Smørgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). > > DES > I for one, support our new consistent-with-upstream, improved-productivity and lower-risk-for-regressions-in-base overlords. ./koobs ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 10-11-2015 10:42, Dag-Erling Smørgrav wrote: Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintaining the HPN patches. They are extensive, very intrusive, and touch parts of the OpenSSH code that change significantly in every release. Since they are not regularly updated, I have to choose between trying to resolve the conflicts myself (hoping I don't break anything) or waiting for them to catch up and then figuring out how to apply the new version. Therefore, I would like to remove the HPN patches from base and refer anyone who really needs them to the openssh-portable port, which has them as a default option. I would also like to remove the NONE cipher patch, which is also available in the port (off by default, just like in base). Hi Des, I know I've installed the ports once to see if, and how I would be able to add more IP-address infor to some of the warnings and errors. And then to get thos errors recognised by tools like sshguard and fail2ban. Only to find out that the code in that area in ports is completely different from what is in base. And submitting "patches" for that, even upstream, would be faily useless. So I understand the trouble you might have in getting other stuff in as well Getting the base version more inline with ports would be a real good thing. I guess you need to manage the fallout that there is going to be from those that expect HPN to be in base, and now suffer preformance issues. --WjW ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Tue, Nov 10, 2015 at 10:42:49AM +0100, Dag-Erling Smørgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). I am plan to use NONE and HPN for bulk transfer, but don't see performance improvement, in both cases I see only 500Mbit/s. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/10/15 9:52 AM, John-Mark Gurney wrote: > My vote is to remove the HPN patches. First, the NONE cipher made more > sense back when we didn't have AES-NI widely available, and you were > seriously limited by it's performance. Now we have both aes-gcm and > chacha-poly which it's performance should be more than acceptable for > today's uses (i.e. cipher performance is 2GB/sec+). AES-NI doesn't help the absurdity of double-encrypting when using scp or rsync/ssh over an encrypted VPN, which is where NONE makes sense to use for me. -- Regards, Bryan Drewery ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/10/15 3:07 AM, Willem Jan Withagen wrote: > Which when I found out that upstreaming patches from base will be hard, > because the whole logging in the ports version is totally different. No it's not. The HPN patch in the ports version had *extra logging* for a while but that is not the case now. There is nothing different compared to upstream OpenSSH now for logging. -- Regards, Bryan Drewery ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/10/15 4:40 PM, Bryan Drewery wrote: > Anyway, reverting the base SSH to stock, and then importing all patches > from the ports default version should result in the same base patches > applied and a working HPN. Actually I am missing the client-side VersionAddendum support (ssh.c). I only have server-side (sshd.c). This is just due to lack of motivation to import the changes. -- Regards, Bryan Drewery ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 11/10/15 1:42 AM, Dag-Erling Smørgrav wrote: > Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). > > DES > I had this same problem as well, but have since reworked the HPN patch for ports to be more easily maintained. I've considered offering or just updating the base SSH, but have not since we have random changes in the HPN functionality in base that would be lost. We for some reason decided we were going to maintain our own version and not even upstream the changes to the HPN authors which has contributed to this situation. Anyway, reverting the base SSH to stock, and then importing all patches from the ports default version should result in the same base patches applied and a working HPN. I've kept the port version up-to-date with all base changes applied as well (short of HPN customizations we made that are not worth keeping) A lot of people pressured me to remove HPN as default from the port (during times that I was too busy to rework the patch for the latest OpenSSH) but I persisted in keeping it due to it being enabled in base. If we really remove it from base I may disable it in the port as well as a default. I personally find the feature worth keeping. Seeing recent benchmarks would be a good idea, but the overall patch is quite simple and non-complex. It's now split up with defines for each feature so they can be disabled at compile time. See /usr/ports/security/openssh-portable/files/extra-patch-hpn. There is HPN_ENABLED and NONE_CIPHER_ENABLED. It's really quite a simple and small patch after removing all of the bogus changes (which I did upstream, and did apply to the base HPN as well) and the logging changes (which were far too intrusive to maintain). -- Regards, Bryan Drewery ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Bryan Drewery wrote this message on Tue, Nov 10, 2015 at 16:32 -0800: > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > My vote is to remove the HPN patches. First, the NONE cipher made more > > sense back when we didn't have AES-NI widely available, and you were > > seriously limited by it's performance. Now we have both aes-gcm and > > chacha-poly which it's performance should be more than acceptable for > > today's uses (i.e. cipher performance is 2GB/sec+). > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > for me. Different layers of protection... Do you disable all encryption when you're transiting trusted networks like your VPN? If you don't, why is that ssh session so special? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Willem Jan Withagenwrites: > I know I've installed the ports once to see if, and how I would be > able to add more IP-address infor to some of the warnings and > errors. And then to get thos errors recognised by tools like sshguard > and fail2ban. Do you mean logging IP addresses instead of hostnames? Just turn off UseDNS. It is off by default since 6.8. If you mean adding IP addresses or hostnames to messages that don't already have them, try suggesting it on the openssh-portable mailing list (openssh-unix-...@mindrot.org). DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Willem Jan Withagenwrites: > Digging in my logfiles , and its things like: > sshd[84942]: Disconnecting: Too many authentication failures [preauth] > > So errors/warnings without IP-nr. > > And I think I fixed it on one server to also write: > error: maximum authentication attempts exceeded for root from > 173.254.203.88 port 1042 ssh2 [preauth] fail2ban should catch both of these since sshd will print a message for each failed authentication attempt before it prints a message about reaching the limit. > Are they still willing to accept changes to the old version that is > currently in base? No, why would they do that? DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 10-11-2015 12:11, Dag-Erling Smørgrav wrote: Willem Jan Withagenwrites: Digging in my logfiles , and its things like: sshd[84942]: Disconnecting: Too many authentication failures [preauth] So errors/warnings without IP-nr. And I think I fixed it on one server to also write: error: maximum authentication attempts exceeded for root from 173.254.203.88 port 1042 ssh2 [preauth] fail2ban should catch both of these since sshd will print a message for each failed authentication attempt before it prints a message about reaching the limit. It's already too long to remember the full facts, but when I was looking at the parser in sshguard, I think I noticed that certain accesses weren't logged and added some more logging rules to catch those. What I still have lingering is this snippet: Index: crypto/openssh/packet.c === --- crypto/openssh/packet.c (revision 289060) +++ crypto/openssh/packet.c (working copy) @@ -1128,8 +1128,10 @@ logit("Connection closed by %.200s", get_remote_ipaddr()); cleanup_exit(255); } - if (len < 0) + if (len < 0) { + logit("Read from socket failed: %.200s", get_remote_ipaddr()); fatal("Read from socket failed: %.100s", strerror(errno)); + } /* Append it to the buffer. */ packet_process_incoming(buf, len); } But like I said: The code I found at openssh was so totally different that I did not continued this track, but chose to start running openssh from ports. Which does not generate warnings I have questions about the originating ip-nr. Are they still willing to accept changes to the old version that is currently in base? No, why would they do that? Exactly my question I guess I misinterpreted your suggestion on upstreaming patches. --WjW ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Willem Jan Withagenwrites: > "Dag-Erling Smørgrav" writes: > > Willem Jan Withagen writes: > > > Are they still willing to accept changes to the old version that > > > is currently in base? > > No, why would they do that? > Exactly my question I guess I misinterpreted your suggestion on > upstreaming patches. I didn't suggest submitting patches, I suggested submitting a feature request. Damien is generally pretty open to suggestions. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Hi, > On 10 Nov 2015, at 09:42, Dag-Erling Smørgravwrote: > > […] > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). Can’t argue with that. Is removing HPN going to impact the performance of tunnelled X connexions? > DES > -- > Dag-Erling Smørgrav - d...@des.no > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" -- Bob Bishop r...@gid.co.uk ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On 10-11-2015 11:55, Dag-Erling Smørgrav wrote: > Willem Jan Withagenwrites: >> I know I've installed the ports once to see if, and how I would be >> able to add more IP-address infor to some of the warnings and >> errors. And then to get thos errors recognised by tools like sshguard >> and fail2ban. > > Do you mean logging IP addresses instead of hostnames? Just turn off > UseDNS. It is off by default since 6.8. No not really Digging in my logfiles , and its things like: sshd[84942]: Disconnecting: Too many authentication failures [preauth] So errors/warnings without IP-nr. And I think I fixed it on one server to also write: error: maximum authentication attempts exceeded for root from 173.254.203.88 port 1042 ssh2 [preauth] Which when I found out that upstreaming patches from base will be hard, because the whole logging in the ports version is totally different. > If you mean adding IP addresses or hostnames to messages that don't > already have them, try suggesting it on the openssh-portable mailing > list (openssh-unix-...@mindrot.org). Are they still willing to accept changes to the old version that is currently in base? --WjW ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
Bob Bishopwrites: > Is removing HPN going to impact the performance of tunnelled X > connexions? I don't think so. It mostly affects the performance of long unidirectional streams (file transfers) whereas the X protocol, as far as I know, is a bidirectional exchange of relatively short messages. It may make a difference for applications that transfer large textures... I don't really know enough about the X protocol to say for certain, but I am typing this in Emacs over a non-HPN SSH connection, and I regularly tunnel Firefox between the same two machines (RHEL 7 desktop at work and FreeBSD 10 desktop at home). DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: OpenSSH HPN
On Wednesday, 11 November 2015, Bryan Drewerywrote: > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > My vote is to remove the HPN patches. First, the NONE cipher made more > > sense back when we didn't have AES-NI widely available, and you were > > seriously limited by it's performance. Now we have both aes-gcm and > > chacha-poly which it's performance should be more than acceptable for > > today's uses (i.e. cipher performance is 2GB/sec+). > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > for me. > I have to agree that there are cases when the NONE cipher makes sense, and it is up to the end user to make sure they know what they are doing. Personally I have used it at home to backup my old FreeBSD server (which does not have AESNI) over a dedicated network connection to a backup server using rsync/ssh. Since it was not possible for anyone else to be on that local network, and the server was so old it didn't have AESNI and would soon be retired, using the NONE cipher sped up the transfer significantly. If the patch is made easy enough to maintain (as some subsequent posts have implied), I quote the NONE cipher stays. I would even like to see it compiled in by default (but disabled in the default configuration file). That way you wouldn't need a custom compiled base to use it - just edit the config file. Regards, Ben -- -- From: Benjamin Woods woods...@gmail.com ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"