[meta-xilinx] SSH Help

Nathan Rossi nathan.rossi at xilinx.com
Mon Dec 16 00:00:17 PST 2013 

Hi Martin,

I have been informed that there is a known issue with the XSDK 2013.3 toolchain, and that you should avoid using it.

I will make a note to add this info to the README of the meta-xilinx layer.

Regards,
Nathan

> -----Original Message-----
> From: meta-xilinx-bounces at yoctoproject.org [mailto:meta-xilinx-
> bounces at yoctoproject.org] On Behalf Of Nathan Rossi
> Sent: Saturday, December 14, 2013 3:11 PM
> To: Martin Townsend
> Cc: meta-xilinx at yoctoproject.org
> Subject: Re: [meta-xilinx] SSH Help
> 
> Hi Martin,
> 
> Good to hear you have resolved your issues.
> 
> I remember hearing some problems with the SDK 2013.3 toolchain and shift
> operations, I suspect that is what caused your problems. I will have a
> look into that on Monday and let you know.
> 
> Also regarding hard-float, you are correct most crypto algorithms are
> reliant on integer math/operations only so hard float is probably not
> going to affect performance in any significant way.
> 
> Regards,
> Nathan
> ________________________________________
> From: Martin Townsend [martin.townsend at xsilon.com]
> Sent: Friday, 13 December 2013 10:57 PM
> To: Nathan Rossi
> Cc: meta-xilinx at yoctoproject.org
> Subject: Re: [meta-xilinx] SSH Help
> 
> I've found the problem, it was the external toolchain I'm using (SDK
> 2013.3). I've switched to using the one that gets built for poky (using
> the dora branch) and the openssh server now works :)
> 
> Cheers,
> Martin.
> 
> 
> On 13/12/13 09:18, Martin Townsend wrote:
> > Hi Nathan,
> >
> > Thanks for the swift reply.  I pre-generated the keys from my host and
> > for open ssh I still get the "PRNG is not seeded" which I expected but
> > for dropbear it did get as far as accepting the client connection
> > which was the only debug statement I could see on the console.  I
> > captured the SSH packets and could see that it had stalled during the
> > key exchange, I tried using the weakest KexAlgorithm option at the SSH
> > client and still no joy.  It looks as if the dropbear server has
> > failed to reply or has blocked indefinitely.
> >
> > When generating keys in dropbear I waited for about 15 minutes which
> > from the sounds of it should be long enough to generate a DSS key
> > which I think should be faster to generate than RSA. Besides a
> > Hardware FPU we have all the other instruction set options set.  Do
> > you think the Hardware FPU would make any difference to the
> > encryption?  I would have thought it would have been a lot of integer
> > based number crunching, I maybe wrong here.
> >
> > Time for some debugging I feel.
> >
> > Cheers,
> > Martin.
> >
> > On 13/12/13 03:37, Nathan Rossi wrote:
> >>> -----Original Message-----
> >>> From: meta-xilinx-bounces at yoctoproject.org [mailto:meta-xilinx-
> >>> bounces at yoctoproject.org] On Behalf Of Martin Townsend
> >>> Sent: Friday, December 13, 2013 2:40 AM
> >>> To: meta-xilinx at yoctoproject.org
> >>> Subject: [meta-xilinx] SSH Help
> >>>
> >>> Hi,
> >>>
> >>> I'm trying to get SSH working and have tried dropbear and openssh with
> >>> no joy.  With dropbear it just hangs forever when trying to generate
> >>> the
> >>> keys and with openssh I get the following message when trying to
> >>> generate the keys
> >>> PRNG is not seeded
> >>> I've stepped through the code and in seed_rng it calls RAND_Status
> >>> which
> >>> I think is in the openssl library.  This function returns failure.
> >>> A bit of googling seems to indicate that permissions on /dev/urandom
> >>> and
> >>> /dev/random are incorrect but I've checked them and they are fine.
> >>>
> >>> crw-rw-rw-    1 root     root        1,   8 Jan  1  1970 random
> >>> ...
> >>> crw-rw-rw-    1 root     root        1,   9 Jan  1  1970 urandom
> >>>
> >>> Running
> >>>
> >>> |cat /dev/urandom | tr -dc 'a-zA-Z0-9~!@#$%^&*-_'
> >>> gives me a long stream of random characters.
> >>>> ZtAy6lC.;yZD3=etLvwbiPEeH_\laccLVXkYlrNa7SiXESYxrb44q*79&I...
> >>> |
> >>>
> >>> Using /dev/random I managed to read 3 characters before it blocked.
> >>> cat /dev/random | tr -dc 'a-zA-Z0-9~!@#$%^&*-_'
> >>> xAr
> >>>
> >>> Could it be that the entropy pool isn't being filled enough, the
> >>> documentation I can see says that openssl will use /dev/urandom first
> >>> and then /dev/random.
> >> Hi Martin,
> >>
> >> I gave openssh/dropbear a quick test on hardware and qemu. The
> >> RSA/ECDSA/DSA host key generation is slow, especially on hardware. It
> >> seems to be related primarily to performance.
> >>
> >> The qemu system was able to generate the openssh keys in under 1
> >> minute, hardware is 10x slower at ~10 minutes for the kc705-trd
> >> design. Dropbear is much faster, on the kc705 reference design it
> >> will generate the host key within ~10 seconds.
> >>
> >> As to why QEMU is much faster, it is because it can emulate faster
> >> than hardware runs and it also has all the microblaze instruction set
> >> options enabled (e.g. mul high, hardware div and hard float are the
> >> key options that will affect key generation), remember these keys are
> >> supposed to be computationally hard to generate ;).
> >>
> >> Alternatively you can skip the host key generation entirely and
> >> pre-generate your host key for debugging (make a recipe to drop it
> >> into your rootfs) and then on you production image configure it to
> >> generate on the first boot and then store the resulting key in a
> >> persistent storage media like flash or sd (which is the default
> >> behavior for poky).
> >>
> >> Regards,
> >> Nathan
> >>
> >>> BTW: The HW design is using a Microblaze running at 100MHz which I
> >>> would
> >>> hope would be enough if maybe a bit slow.
> >>>
> >>> Any help/ideas greatly appreciated.
> >>>
> >>> Cheers,
> >>> Martin.
> >>>
> >>> _______________________________________________
> >>> meta-xilinx mailing list
> >>> meta-xilinx at yoctoproject.org
> >>> https://lists.yoctoproject.org/listinfo/meta-xilinx
> >>
> >
> > _______________________________________________
> > meta-xilinx mailing list
> > meta-xilinx at yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/meta-xilinx
> 
> 
> _______________________________________________
> meta-xilinx mailing list
> meta-xilinx at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-xilinx

More information about the meta-xilinx mailing list