svn commit: r251088 - head/crypto/openssh
Dag-Erling Smørgrav
des at des.no
Wed May 29 12:36:17 UTC 2013
Pawel Jakub Dawidek <pjd at FreeBSD.org> writes:
> Which library is needed for AES-NI? I don't see any engine in /usr/lib/
> that implements AES-NI support. Could you be more specific?
Ah, you're right. Bryan (cc:ed) did the analysis and I misunderstood
his report. I just ran through the steps to reproduce the issue, and
what happens is that a CRIOGET ioctl cal (which is supposed to allocate
and return a file descriptor) fails due to setrlimit(RLIMIT_FSIZE, 0):
90344 sshd CALL setrlimit(RLIMIT_NOFILE,0x7fffffffca10)
90344 sshd RET setrlimit 0
[...]
90344 sshd CALL ioctl(0x3,CRIOGET,0x7fffffffcb4c)
90344 sshd RET ioctl -1 errno 24 Too many open files
Note that you have to remove the setrlimit(RLIMIT_FSIZE, 0) call in
sandbox-rlimit.c to debug this, otherwise ktrace stops at that point:
May 29 12:10:37 zoo2 kernel: ktrace write failed, errno 27, tracing stopped
To reproduce:
# ktrace -tcnstuy -di env LD_UTRACE=yes /usr/sbin/sshd -oUsePrivilegeSeparation=sandbox -Dddd -oPort=2222 -oListenAddress=localhost
followed by
% ssh -c aes128-cbc -p 2222 localhost
on a machine with an AESNI-capable CPU and aesni.ko loaded.
> Also what is the exact difference between "sandbox" and "yes" settings?
"sandbox" enables sandboxing (no surprise) which in FreeBSD's case means
a bunch of rlimit settings.
> The reason I ask is because I plan to experiment with OpenSSH sandboxing
> to use Capsicum and Casper.
You still have the patches I sent you?
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the svn-src-all
mailing list