On Wed, May 29, 2013 at 12:19:59AM +0000, Dag-Erling Smørgrav wrote: > Author: des > Date: Wed May 29 00:19:58 2013 > New Revision: 251088 > URL: http://svnweb.freebsd.org/changeset/base/251088 > > Log: > Revert a local change that sets the default for UsePrivilegeSeparation to > "sandbox" instead of "yes". In sandbox mode, the privsep child is unable > to load additional libraries and will therefore crash when trying to take > advantage of crypto offloading on CPUs that support it.
Which library is needed for AES-NI? I don't see any engine in /usr/lib/
that implements AES-NI support. Could you be more specific?
Also what is the exact difference between "sandbox" and "yes" settings?
The reason I ask is because I plan to experiment with OpenSSH sandboxing
to use Capsicum and Casper.
> Modified:
> head/crypto/openssh/servconf.c
>
> Modified: head/crypto/openssh/servconf.c
> ==============================================================================
> --- head/crypto/openssh/servconf.c Wed May 29 00:18:12 2013
> (r251087)
> +++ head/crypto/openssh/servconf.c Wed May 29 00:19:58 2013
> (r251088)
> @@ -298,7 +298,7 @@ fill_default_server_options(ServerOption
> options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
> /* Turn privilege separation on by default */
> if (use_privsep == -1)
> - use_privsep = PRIVSEP_ON;
> + use_privsep = PRIVSEP_NOSANDBOX;
>
> #ifndef HAVE_MMAP
> if (use_privsep && options->compression == 1) {
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://mobter.com
pgpIbqUq_8h_o.pgp
Description: PGP signature
