On Wed, Jun 26, 2024 at 01:35:24PM +0000, Sandeep Umesh via IBM TechXchange Community wrote:
> ok, then it is not required to update openssl fileset, however we
> recommend to update to latest openssl 3 available in web pack:
>
https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssl> We have now introduced multiple methods to check the integrity of packages provided through MRS site.
> You can refer to the Readme file provided along with package which gives details about checking the integrity.
Indeed! I see the new signature file and readme.
You published the checksum, and a method for signature validation
inside AIX using the certificate already distributed with the
OS. That's huge progress!
------------------------------------------------------------------
Russell Adams
Russell.Adams@AdamsSystems.nlPrincipal Consultant Adams Systems Consultancy
https://adamssystems.nl/
Original Message:
Sent: 6/26/2024 9:35:00 AM
From: Sandeep Umesh
Subject: RE: AIX SSH performance, POWER hardware acceleration?
ok, then it is not required to update openssl fileset, however we recommend to update to latest openssl 3 available in web pack: https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssl
We have now introduced multiple methods to check the integrity of packages provided through MRS site.
You can refer to the Readme file provided along with package which gives details about checking the integrity.
Thanks
Regards
Sandeep Umesh
AIX Opensource Security
------------------------------
Sandeep Umesh
------------------------------
Original Message:
Sent: Wed June 26, 2024 09:20 AM
From: Russell Adams
Subject: AIX SSH performance, POWER hardware acceleration?
On Wed, Jun 26, 2024 at 12:52:07PM +0000, Sandeep Umesh via IBM TechXchange Community wrote:
> Can you try with the latest OpenSSH 9.2.112.2400 version provided in web download pack:
>
>
> https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssh
>
>
> It has a prereq for OpenSSL 1.1.2.2400 version available at : https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssl
>
> This version of openssh has a change in default Cipher to aes128-ctr which should improve the performance for scp transfer.
That sounds great, except now AIX is using OpenSSL v3!
I've also already got a ticket open with IBM about the security of
files on the MRS site, as I have no way to authenticate those downloads.
------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
https://adamssystems.nl/
Original Message:
Sent: 6/26/2024 8:52:00 AM
From: Sandeep Umesh
Subject: RE: AIX SSH performance, POWER hardware acceleration?
Hello
Can you try with the latest OpenSSH 9.2.112.2400 version provided in web download pack: https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssh
It has a prereq for OpenSSL 1.1.2.2400 version available at : https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssl
In 9.2 openssh version, community has changed the default cipher to chacha20-poly1305 algorithm. This algorithm does not use the Power in-core accelerator. So, from 9.2.112.2400 version, the default Cipher is changed to aes128-ctr which should improve the performance for scp transfer.
Thanks
Regards
Sandeep Umesh
AIX Opensource Security
------------------------------
Sandeep Umesh
Original Message:
Sent: Fri June 21, 2024 11:38 AM
From: Russell Adams
Subject: AIX SSH performance, POWER hardware acceleration?
Has anyone been able to use the POWER9 compression and encryption hardware acceleration with SSH?
Unfortunately scp seems to always have poor performance, I was hoping it could be faster with the hardware acceleration. I understand that may have to be setup on both client and server, so let's assume they are both AIX with access to HW acceleration.
The only reference I have found is an undocumented sshd_config "EnableHWCompression" parameter buried in the release notes of OpenSSH 9 on the MRS site.
https://www.ibm.com/resources/mrs/assets/DirectDownload?source=aixbp&lang=en_US#lang=en_US
(fixed link)
This version includes other fixes part of previous fileset release:-------------------------------------------------------------------------------------------------------Fix for APAR Draft 17902: sshd may corrupt SYSENVIRON and affect at jobsFix for APAR IJ40247: sshd memory leak and core when multiplexing/connection sharingFix for Apar Draft 17855 : ssh public key authentication fails if no password definedFix for APAR IJ38179 : sshd won't work in Trusted Aix environment.Fix for CVE-2021-41617 : privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configuredFix for APAR IJ32806 : A PIPED COMMAND TO SSH COULD RETURN EAGAIN.Fix for APAR IJ33264 : OPENSSH 8.X DOES NOT SET PAG VALUEIntroducing new configuration option fipsforopenssh which enforces the following configuration: - PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384 - Ciphers aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com - MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512 - KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 - DRBG uses aes256-ctr as the defaultAddition of a new configuration option EnableHwCompression to make use of Hardware compression feature in Power9 and above
It makes no mention of encryption. Given the single threaded nature of scp, I think both encryption and compression acceleration would be helpful.
------------------------------
========================
Russell Adams
https://adamssystems.nl/
========================
------------------------------