sshd fails when using cryptodev-linux to compute hmac
Peter Rashleigh
prashleigh at questertangent.com
Thu Oct 10 04:31:20 AEDT 2024
Hi Damien,
> I don't know anything about cryptodev-linux, but I assume it's an openssl engine?
Cryptodev-linux is a kernel module that provides access to kernel crypto drivers, especially hardware-accelerated crypto, through the /dev/crypto device. Openssl implements an engine which interfaces to it.
> If so it's possible sshd's multiprocess model and/or file descriptor handling is confusing it.
This seems like a reasonable explanation based on what I've seen so far.
> It's not a configuration we test, so you're mostly on your own to debug it. It's entirely possible there's a bug there; if so, I'd expect it to be something like a fd being closed while devcrypto is still depending on it.
>
> I'd suggest turning on LogVerbose=* so you can see which process (represented by it's PID) is doing what, though that probably won't be represented in the devcrypto debug messages unless you hack something similar in.
Too bad, I was hoping it was a tested/supported configuration. Since that doesn't seem to be the case, I suspect the easiest way forward for me is going to be disabling the openssl engine entirely so that openssh works properly. I doubt that hardware-accelerated crypto is going to have much benefit for SSH workloads anyway.
Thanks,
Peter
More information about the openssh-unix-dev
mailing list