[Soekris] Hi/fn cards and SSH...
Stuart Henderson
stu at spacehopper.org
Fri Mar 16 14:26:14 UTC 2007
On 2007/03/16 10:04, Andy Michaels wrote:
> > using sysctl 'kern.usercrypto=0' (see /etc/sysctl.conf) will allow
> > the card to be used for IPsec which doesn't have reported problems,
> > and disable it for userland which does.
>
> So the problem only exists if I run the crypto code in userland?
the only time I've heard mention of the problem is when userland
crypto is accelerated by the hifn cards.
> Maybe I don't completely understand the situation, but when you say
> "used for IPSEC", does this imply that IPSEC is run as part of the
> kernel
Yes, that's right. isakmpd runs in userland and sets up the flows,
but the actual crypto is done in-kernel.
> and that say, L2TP is not?
afaik there's no L2TP implementation that works with OpenBSD,
feel free to correct me if I'm wrong (especially if it's L2TPv3)
(I think L2TP is usually protected by underlying IPsec though)
> What about OpenVPN?
OpenVPN runs in userland, so disabling usercrypto would stop it
being accelerated. I don't know whether it's affected by the bug,
but if you test and find that it does work ok, you could always
disable the hardware-accelerated ciphers in sshd - see Ciphers
in sshd_config(5) - and continue to use them for OpenVPN.
More information about the Soekris-tech
mailing list