Commit 55460a4a authored by Kirill Smelkov's avatar Kirill Smelkov

Revert "dropbear: Don't waste transfer time in favour of small-memory machines defaults"

This reverts commit 605e564b.

Rationale: Stability matters:

Quoting 605e564b:
> Besides changing only recv window size at runtime breaks compatibility with
> openssh: if we only do `-W 1M` on server and try to upload data with openssh as
> client, dropbear complains
>
>     [3302] Apr 17 23:10:06 Exit (slapuser2): Bad packet size 32777
>
> and connection terminates. Thus RECV_MAX_PAYLOAD_LEN increase is also
> required, which cannot be done via option at runtime:
>
>     https://github.com/mkj/dropbear/blob/DROPBEAR_0.53.1/options.h#L268
>
>     ---- 8< ----
>     /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
>        in order to interoperate with other implementations */
>     #ifndef RECV_MAX_PAYLOAD_LEN
>     #define RECV_MAX_PAYLOAD_LEN 32768
>     #endif
>     ---- 8< ----
>
> So let's increase DEFAULT_RECV_WINDOW to 1M and RECV_MAX_PAYLOAD_LEN
> appropriately (experimentally found that at 512K the complain goes
> away).

It turned out that "Bad packet size" did not really went away. For example I've
recently hit the following:

    [14586] Aug 04 19:12:43 Pubkey auth succeeded for 'slapuser16' with key md5 b1:35:06:d3:a5:b1:0b:c6:7f:e6:59:31:ab:3a:e1:56 from 2001:67c:1254:c0::1:49886
    [14586] Aug 04 19:12:55 Exit (slapuser16): Integrity error (bad packet size 524500)

in .slappartX_runner_sshd.log of my upgraded webrunner with connection being broken.
( nexedi/slapos!68 (comment 17748) )

We could maybe try to play games with increasing RECV_MAX_PAYLOAD_LEN to
be more than DEFAULT_RECV_WINDOW but this already turned out to be error-prone.

Since when really needed we should be able to replace dropbear with openssh

    nexedi/slapos!68 (comment 7082)

which is both performant and good-compatible, to me the way is:

- make current dropbear run stable again,
- when we really need to sync large amounts of data (and we should be
  needing to do soon or already) -> work on replacing dropbear with
  openssh.
parent abc0873b
...@@ -20,11 +20,9 @@ md5sum = 0284ea239083f04c8b874e08e1aca243 ...@@ -20,11 +20,9 @@ md5sum = 0284ea239083f04c8b874e08e1aca243
# in order have all patches working. # in order have all patches working.
url = http://matt.ucc.asn.au/dropbear/releases/dropbear-0.53.1.tar.bz2 url = http://matt.ucc.asn.au/dropbear/releases/dropbear-0.53.1.tar.bz2
# NOTE DEFAULT_RECV_WINDOW and RECV_MAX_PAYLOAD_LEN are tweaked to support
# faster network throughput compared to dropbear defaults.
configure-options = configure-options =
--with-zlib=${zlib:location} --with-zlib=${zlib:location}
CFLAGS="-DENABLE_SINGLEUSER -D__DIRTY_NO_SHELL_CHECKING -DDEFAULT_RECV_WINDOW=1048576 -DRECV_MAX_PAYLOAD_LEN=524288" CFLAGS="-DENABLE_SINGLEUSER -D__DIRTY_NO_SHELL_CHECKING"
environment = environment =
CPPFLAGS =-I${zlib:location}/include CPPFLAGS =-I${zlib:location}/include
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment