Re: OpenSSH HPN

Bryan Drewery writes: > Actually I am missing the client-side VersionAddendum support (ssh.c). I > only have server-side (sshd.c). This is just due to lack of motivation > to import the changes. Pretty sure I sent Damien the patch a few years ago... There was also a bug

Re: OpenSSH HPN

On 11/10/15 7:16 PM, Dag-Erling Smørgrav wrote: Bob Bishop writes: Is removing HPN going to impact the performance of tunnelled X connexions? yes if your rtt is greater than about 85 mSec I don't know he details but I noticed a big difference. I had thought X wouldn't show

Re: OpenSSH HPN

On 11/11/2015 1:23 AM, Dag-Erling Smørgrav wrote: > Bryan Drewery writes: >> Actually I am missing the client-side VersionAddendum support (ssh.c). I >> only have server-side (sshd.c). This is just due to lack of motivation >> to import the changes. > > Pretty sure I sent

Re: OpenSSH HPN

On 11/11/2015 1:04 AM, Dag-Erling Smørgrav wrote: > Ben Woods writes: >> Personally I have used it at home to backup my old FreeBSD server >> (which does not have AESNI) over a dedicated network connection to a >> backup server using rsync/ssh. Since it was not possible for

Re: OpenSSH HPN

On 11/11/2015 8:51 AM, Dag-Erling Smørgrav wrote: > Bryan Drewery writes: >> Another thing that I did with the port was restore the tcpwrapper >> support that upstream removed. Again, if we decide it is not worth >> keeping in base I will remove it as default in the port. >

Re: OpenSSH HPN

On 11/10/2015 3:48 AM, Dag-Erling Smørgrav wrote: > Willem Jan Withagen writes: >> "Dag-Erling Smørgrav" writes: >>> Willem Jan Withagen writes: Are they still willing to accept changes to the old version that is currently in base? >>>

Re: OpenSSH HPN

On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: > Bryan Drewery writes: > > Another thing that I did with the port was restore the tcpwrapper > > support that upstream removed. Again, if we decide it is not worth > > keeping in base I will remove it as

Re: OpenSSH HPN

Slawa Olhovchenkov writes: > Can you explain what is problem? Radical suggestion: read the first email in the thread. > PS: As I today know, kerberos heimdal is practicaly dead as opensource > project. Have FreeBSD planed switch to MIT Kerberos? I am know about >

Re: OpenSSH HPN

Bryan Drewery writes: > Another thing that I did with the port was restore the tcpwrapper > support that upstream removed. Again, if we decide it is not worth > keeping in base I will remove it as default in the port. I want to keep tcpwrapper support - it is another reason

Re: OpenSSH HPN

It is my understanding, that using the NONE cypher is not identical to using “the old tools” (rsh/rlogin/rcp). When ssh uses the NONE cypher, credentials and authorization are still encrypted and verified. Only the actual data payload is not encrypted. Perhaps similar level of security could

Re: OpenSSH HPN

On 11/11/2015 7:49 AM, Daniel Kalchev wrote: > It is my understanding, that using the NONE cypher is not identical to using > “the old tools” (rsh/rlogin/rcp). > > When ssh uses the NONE cypher, credentials and authorization are still > encrypted and verified. Only the actual data payload is

Re: OpenSSH HPN

Daniel Kalchev writes: > I must have missed the explanation. But why having a NONE cypher > compiled in, but disabled in the configuration is a bad idea? It increases the cost of maintaining OpenSSH in base noticeably without providing real value unless you are one of the few

Re: OpenSSH HPN

On Wed, 11 Nov 2015, Dag-Erling Sm?rgrav wrote: I want to keep tcpwrapper support - it is another reason why I still haven't upgraded OpenSSH, but to the best of my knowledge, it is far less intrusive than HPN. There's also inetd's tcpwrapper support if you call sshd from inetd for D/DOS

Re: OpenSSH HPN

Julian Elischer writes: > Now we'll have to resurrect all that framework and pain. I guess pain is fine as long as it's not yours... > have you mentioned this plan to Brooks? Didn't he add it? These are public lists, but by all means, mention it to him if he hasn't noticed

Re: OpenSSH HPN

Julian Elischer writes: > Bob Bishop writes: > > Is removing HPN going to impact the performance of tunnelled X > > connexions? > yes if your rtt is greater than about 85 mSec With an RTT of 85 ms, X is unusable with or without HPN. DES -- Dag-Erling

Re: OpenSSH HPN

On Wed, Nov 11, 2015 at 6:59 PM, John-Mark Gurney wrote: > If you have a trusted network, why not just use nc? Perhaps more generally relevant is that ssh/scp are *waves hands* vaguely analogous to secure versions of rsh/rlogin/rcp. I'd think that most cases of "I wanted to

Re: OpenSSH HPN

On Wednesday, 11 November 2015, John-Mark Gurney wrote: > Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > > I have to agree that there are cases when the NONE cipher makes sense, > and > > it is up to the end user to make sure they know what they are doing.

Re: OpenSSH HPN

On Wednesday, 11 November 2015, Bryan Drewery wrote: > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > My vote is to remove the HPN patches. First, the NONE cipher made more > > sense back when we didn't have AES-NI widely available, and you were > > seriously limited by

Re: OpenSSH HPN

On Tue, Nov 10, 2015 at 09:52:16AM -0800, John-Mark Gurney wrote: > Dag-Erling Smrgrav wrote this message on Tue, Nov 10, 2015 at 10:42 +0100: > > Therefore, I would like to remove the HPN patches from base and refer > > anyone who really needs them to the openssh-portable port, which has > >

Re: OpenSSH HPN

On Tue, Nov 10, 2015 at 11:59:30PM -0800, John-Mark Gurney wrote: > Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > > On Wednesday, 11 November 2015, Bryan Drewery wrote: > > > > > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > > > My vote is to

Re: OpenSSH HPN

On 11/11/15 7:56 PM, Dag-Erling Smørgrav wrote: Julian Elischer writes: The inclusion of the HPN patches meant that we could drop a custom unsupported HPN enabled ssh from our build process. It makes ssh actually usable. Define "usable". Does it actually make a

Re: OpenSSH HPN

On Tue, Nov 10, 2015 at 11:59 PM, John-Mark Gurney wrote: > > > > If you have a trusted network, why not just use nc? Defense in depth for starters. The ipfw how to guide I learned from years ago, started with the statement that a firewall should be a shield in front of

Re: OpenSSH HPN

Ben Woods writes: > Personally I have used it at home to backup my old FreeBSD server > (which does not have AESNI) over a dedicated network connection to a > backup server using rsync/ssh. Since it was not possible for anyone > else to be on that local network, and the server

Re: OpenSSH HPN

On 11/10/15 5:42 PM, Dag-Erling Smørgrav wrote: Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintaining the HPN patches. They are extensive, very intrusive, and touch parts of the OpenSSH code that change

Re: OpenSSH HPN

Julian Elischer writes: > The inclusion of the HPN patches meant that we could drop a custom > unsupported HPN enabled ssh from our build process. It makes ssh > actually usable. Define "usable". Does it actually make a measurable difference with the latest OpenSSH? And if

Re: OpenSSH HPN

Oh just the opposite of what you're claiming. Did you even read the article about the Beyond Corp project? It is 100% about thinking very hard about trust and making sure that the trust model used doesn't depend on the concept of internal/external network. Also, the type of thinking where two or

Re: OpenSSH HPN

On 11/11/15 4:05 PM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 03:58:35PM -0800, Bryan Drewery wrote: > >>> Some for as ports version? >>> Or ports version different? >>> Or port mantainer have more time (this is not to blame for DES)? >>> I am just don't know what is different between

Re: OpenSSH HPN

On 11/11/2015 3:56 PM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 10:18:08AM -0800, Bryan Drewery wrote: > >> On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: >>> On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: >>> Bryan Drewery writes:

kereros telnet/rlogin/etc. (was Re: OpenSSH HPN)

On Wed, 11 Nov 2015, Daniel Kalchev wrote: > > Perhaps similar level of security could be achieved by “the old tools” > if they were by default compiled with Kerberos. Although, this still > requires building additional infrastructure. The kerberized versions of the old tools are basically

Re: OpenSSH HPN

On Wed, Nov 11, 2015 at 4:29 PM, Robert Simmons wrote: > I don't think there is such a thing as a trusted network. That is a unicorn > these days. > > No networks should be considered trusted. > oh baloney. That's just a clever way to say you want to stop thinking about

Re: OpenSSH HPN

On Wed, Nov 11, 2015 at 10:18:08AM -0800, Bryan Drewery wrote: > On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: > > On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: > > > >> Bryan Drewery writes: > >>> Another thing that I did with the port was

Re: OpenSSH HPN

On Wed, Nov 11, 2015 at 03:58:35PM -0800, Bryan Drewery wrote: > > Some for as ports version? > > Or ports version different? > > Or port mantainer have more time (this is not to blame for DES)? > > I am just don't know what is different between port ssh and base ssh. > > We need ssh 6.x in base,

Re: OpenSSH HPN

On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote: > On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > > I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). > > Fun fact, it's been broken in the port

Re: OpenSSH HPN

On Wed, Nov 11, 2015 at 07:18:31PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: > > Can you explain what is problem? > > Radical suggestion: read the first email in the thread. I am read and don't understund (you talk about trouble of maintaining the HPN

Re: OpenSSH HPN

Ben Woods wrote this message on Wed, Nov 11, 2015 at 16:27 +0800: > On Wednesday, 11 November 2015, John-Mark Gurney wrote: > > > Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > > > I have to agree that there are cases when the NONE cipher makes sense, > >

Re: OpenSSH HPN

On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: > On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: > >> Bryan Drewery writes: >>> Another thing that I did with the port was restore the tcpwrapper >>> support that upstream removed. Again, if we decide

Re: OpenSSH HPN

Daniel Kalchev wrote this message on Wed, Nov 11, 2015 at 17:49 +0200: > It is my understanding, that using the NONE cypher is not identical to using > ???the old tools??? (rsh/rlogin/rcp). > > When ssh uses the NONE cypher, credentials and authorization are still > encrypted and verified. Only

Re: OpenSSH HPN

On Tue, Nov 10, 2015 at 04:40:42PM -0800, Bryan Drewery wrote: > On 11/10/15 1:42 AM, Dag-Erling Sm??rgrav wrote: > > Some of you may have noticed that OpenSSH in base is lagging far behind > > the upstream code. > > > > The main reason for this is the burden of maintaining the HPN patches. > >

Re: OpenSSH HPN

On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote: > I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). Fun fact, it's been broken in the port for several months with no complaints. It was just reported and fixed

Re: OpenSSH HPN

I don't think there is such a thing as a trusted network. That is a unicorn these days. If you are using ssh to connect to the VPN server itself over the VPN connection, I can see why that would be useless double encryption. However, if you are connecting to a server on the network on the other

Re: OpenSSH HPN

Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800: > On Wednesday, 11 November 2015, Bryan Drewery wrote: > > > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > > My vote is to remove the HPN patches. First, the NONE cipher made more > > > sense back when we