Pawel Jakub Dawidek <[email protected]> writes: > Which library is needed for AES-NI? I don't see any engine in /usr/lib/ > that implements AES-NI support. Could you be more specific?
Ah, you're right. Bryan (cc:ed) did the analysis and I misunderstood his report. I just ran through the steps to reproduce the issue, and what happens is that a CRIOGET ioctl cal (which is supposed to allocate and return a file descriptor) fails due to setrlimit(RLIMIT_FSIZE, 0): 90344 sshd CALL setrlimit(RLIMIT_NOFILE,0x7fffffffca10) 90344 sshd RET setrlimit 0 [...] 90344 sshd CALL ioctl(0x3,CRIOGET,0x7fffffffcb4c) 90344 sshd RET ioctl -1 errno 24 Too many open files Note that you have to remove the setrlimit(RLIMIT_FSIZE, 0) call in sandbox-rlimit.c to debug this, otherwise ktrace stops at that point: May 29 12:10:37 zoo2 kernel: ktrace write failed, errno 27, tracing stopped To reproduce: # ktrace -tcnstuy -di env LD_UTRACE=yes /usr/sbin/sshd -oUsePrivilegeSeparation=sandbox -Dddd -oPort=2222 -oListenAddress=localhost followed by % ssh -c aes128-cbc -p 2222 localhost on a machine with an AESNI-capable CPU and aesni.ko loaded. > Also what is the exact difference between "sandbox" and "yes" settings? "sandbox" enables sandboxing (no surprise) which in FreeBSD's case means a bunch of rlimit settings. > The reason I ask is because I plan to experiment with OpenSSH sandboxing > to use Capsicum and Casper. You still have the patches I sent you? DES -- Dag-Erling Smørgrav - [email protected] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
