On Wed, May 29, 2013 at 02:36:17PM +0200, Dag-Erling Smørgrav wrote: > Pawel Jakub Dawidek <p...@freebsd.org> writes: > > Which library is needed for AES-NI? I don't see any engine in /usr/lib/ > > that implements AES-NI support. Could you be more specific? > > Ah, you're right. Bryan (cc:ed) did the analysis and I misunderstood > his report. I just ran through the steps to reproduce the issue, and > what happens is that a CRIOGET ioctl cal (which is supposed to allocate > and return a file descriptor) fails due to setrlimit(RLIMIT_FSIZE, 0): > > 90344 sshd CALL setrlimit(RLIMIT_NOFILE,0x7fffffffca10) > 90344 sshd RET setrlimit 0 > [...] > 90344 sshd CALL ioctl(0x3,CRIOGET,0x7fffffffcb4c) > 90344 sshd RET ioctl -1 errno 24 Too many open files > > Note that you have to remove the setrlimit(RLIMIT_FSIZE, 0) call in > sandbox-rlimit.c to debug this, otherwise ktrace stops at that point: > > May 29 12:10:37 zoo2 kernel: ktrace write failed, errno 27, tracing stopped > > To reproduce: > > # ktrace -tcnstuy -di env LD_UTRACE=yes /usr/sbin/sshd > -oUsePrivilegeSeparation=sandbox -Dddd -oPort=2222 -oListenAddress=localhost > > followed by > > % ssh -c aes128-cbc -p 2222 localhost > > on a machine with an AESNI-capable CPU and aesni.ko loaded.
AES-NI doesn't have to go through kernel at all and doing so is much slower. Not sure if our OpenSSL version already has native AES-NI support. If not it would be best to upgrade it. This would fix AES-NI at least. Other crypto HW that do need kernel driver would still need something here. I wonder if CRIOGET can't be done before setting rlimit. How does it work on OpenBSD then? > > Also what is the exact difference between "sandbox" and "yes" settings? > > "sandbox" enables sandboxing (no surprise) which in FreeBSD's case means > a bunch of rlimit settings. I thought that simple "yes" setting does chroot to /var/empty, drops privileges to sshd user/group and sets rlimit? I'm trying to figure out the difference between those two settings. > > The reason I ask is because I plan to experiment with OpenSSH sandboxing > > to use Capsicum and Casper. > > You still have the patches I sent you? Probably somewhere in my INBOX. If you have them handy can you please resend them? -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com
pgpxPPSyTqhs8.pgp
Description: PGP signature
