SSH HPN-Patch gone?

badger · Dec 15, 2014, 12:29 PM

Hi everybody.

It seems that in 2.2Beta the SSH-HPN-Patch no longer is available as it isn't listed when I call "ssh -V". Is there a reason for that?
Is there any chance to get a package without having to compile it manually - as we ain't got much bsd-experience.

Any help is greatly appreciated.

Thank you very much.

jimp · Dec 15, 2014, 7:17 PM

We did not do anything special for that as far as I can see. We used what FreeBSD already had in place.

badger · Dec 17, 2014, 10:10 AM

Oh I see. Is there any chance you will integrate it? That would be awesome.
Tried it myself but failed miserably ;D

cmb · Dec 17, 2014, 10:13 PM

There is nothing to integrate, stock FreeBSD 9 and newer have it built-in, it's there.

badger · Dec 19, 2014, 9:20 AM

hi.

not quite sure if I get this right…
that means pfSense 2.2 is supposed to already have an HPN-patched ssh-version? 'SSH -V' does not show anything in this regard. Trying to use typical command line arguments (e.g. '-oHPNBufferSize=xx') does not work either?!

Maybe I can eventually somehow compile this myself - but I suppose the next update including openssh will just overwrite it?

thank you =)

charliem · Dec 19, 2014, 11:52 AM

@badger:

that means pfSense 2.2 is supposed to already have an HPN-patched ssh-version? 'SSH -V' does not show anything in this regard. Trying to use typical command line arguments (e.g. '-oHPNBufferSize=xx') does not work either?!

Hmm, I had not heard of this patch-set. I guess this is what you are referring to: http://www.psc.edu/index.php/hpn-ssh ? Those patches are definitely not in pfSense. Were they ever included in the past, as a separate package perhaps?

Maybe I can eventually somehow compile this myself - but I suppose the next update including openssh will just overwrite it?

Yes, and yes. Perhaps the easiest way would be to use a stock FreeBSD 10.1 VM, build the modified binaries in the VM, then copy them over to your pfSense machine. But that's not a long term or scalable solution.

I am curious why you think they are necessary; do you have test results? AFAIK it does not matter to clients passing data through the pfSense machine, only if you use pfSense as an endpoint. Do you really pass that much data to or from your firewall, rather than through it?

This does worry me a little:

The patches are pretty much straight forward ports except for some minor changes in the cipher subsystem

There are no minor changes to cipher subsystems.

jimp · Dec 19, 2014, 12:44 PM

They were never added to pfSense by us.

FreeBSD had them back in the 8.x days, and in 9.x from what I see. It's unclear if they are still there on 10.x.

They are definitely options in the security/openssh-portable port, though I'm not sure I'd recommend fussing with that. It should work in theory, but if it installs to /usr/local/ like a good port should, then our scripts probably would not set it up or launch it properly.

cmb · Dec 19, 2014, 6:02 PM

It should be there already, no need to do anything. The HPN-related options are accepted in sshd_config, and default is enabled.
https://github.com/freebsd/freebsd/blob/master/crypto/openssh/README.hpn

I think you're just expecting behavior that only exists in the patch set, and not the later merged implementation in FreeBSD.