Project

General

Profile

Feature #17363

Missing replication encryption option

Added by Kevinesan Pillay over 3 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Expected
Assignee:
William Grzybowski
Category:
Middleware
Target version:
Estimated time:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

Good day

Since moving from FreeNAS 9.3 to 9.10, we have lost the option to set "Encryption Cipher" to "Disabled", for replication. This was quiet necessary in my customers environment for replication across the WAN, as it greatly improved the replication run-time for the required datasets, which are very large (on is 32TB in size). We had to upgrade to 9.10 to resolve some stability issues and had to remove the original seed replication and start over, only to find that the "Disabled" option was gone and that replication for the initial seed was now taking weeks to complete.

Could you please advise if this will be once again made available in 9.10 (or perhaps 10), and what the timeline could be?

Regards,
Kevin Pillay
+27832346394

Associated revisions

Revision c7d7585f (diff)
Added by William Grzybowski about 3 years ago

feat(repl): add openssh-portable with NONECIPHER Ticket: #17363

Revision 9de7d5f9 (diff)
Added by William Grzybowski about 3 years ago

feat(rc.d): save keys generated from openssh, not sshd Ticket: #17363

Revision 0cb0a330 (diff)
Added by William Grzybowski about 3 years ago

feat(rc.d): generate sshd_config for openssh-portable instead Ticket: #17363

Revision 6ed056aa (diff)
Added by William Grzybowski about 3 years ago

feat(rc.d): enable using openssh_enable instead of sshd_enable Ticket: #17363

Revision fc2e7e04 (diff)
Added by William Grzybowski about 3 years ago

feat(gui): repace sshd calls with openssh Ticket: #17363

Revision 37dbdeca (diff)
Added by William Grzybowski about 3 years ago

feat(rc.d): skip openssh vs sshd check Ticket: #17363

Revision ef4d4482 (diff)
Added by William Grzybowski about 3 years ago

feat(repl): re-enable none cipher Ticket: #17363

Revision d1e9a84e (diff)
Added by William Grzybowski about 3 years ago

feat(gui): re-add choice to disable encryption in replication Ticket: #17363

Revision e0d759f7 (diff)
Added by William Grzybowski about 3 years ago

fix(rc.d): remaining sshd_enable Ticket: #17363

Revision c0f54ce0 (diff)
Added by William Grzybowski about 3 years ago

Revert "NoneEnabled is no longer a "thing"" This reverts commit 6e5e89b53cd9d9b13ecad705ebc93eb268a53d4c. Ticket: #17363

Revision 5386610d (diff)
Added by William Grzybowski about 3 years ago

fix(repl): none cipher warning string has changed Ticket: #17363

Revision fb415396 (diff)
Added by Suraj Ravichandran about 3 years ago

s/sshd/openssh now that we are no longer using base's sshd. Ticket: #17363

Revision 4202373a (diff)
Added by Suraj Ravichandran about 3 years ago

A bunch of more ssh path fixes. Ticket: #17363

Revision 2478a4ea (diff)
Added by William Grzybowski about 3 years ago

fix(gui): missing openssh-portable change Spotted by: suraj Ticket: #17363

Revision 12c6dfad (diff)
Added by William Grzybowski about 3 years ago

fix(replfix): use openssh client bin Spotted by: suraj Ticket: #17363

History

#1 Updated by Heather Ownby over 3 years ago

  • Assignee set to William Grzybowski

#2 Updated by Jordan Hubbard over 3 years ago

The upstream OpenSSH project removed the "None" cipher option a few builds back, and due to security updates and such, it was necessary for us to move to newer versions of OpenSSH, so we simply lost the ability to provide that option. FreeNAS 10 does replication differently with a new engine that simply uses ssh to set up the "control channel" and does the replication over another connection for which we can control the amount of compression / encryption / throttling, including "none" for maximum speed. JFYI.

#3 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Target version set to 9.10.2

I think we've had this discussion before, but openssh-portable does have the NONE cipher option still. (And will have it for foreseeable future, since its used in production by many FBSD users still)

http://www.freshports.org/security/openssh-portable/

I would propose switching to that at some point, since the FN10 replication engine doesn't help us if we need to SSH large quantities of data to another ZFS system that isn't FN10.

#4 Updated by Josh Paetzel over 3 years ago

That seems reasonable to me.

#5 Updated by Kevinesan Pillay over 3 years ago

Good day

Thank you for the comments. My client will require some sort of assurance that this matter will be pursued; can this request be made official in some manner, by adding it to some official request/feature list?

Regards,
Kevin Pillay

#6 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Priority changed from Nice to have to Expected

Its scheduled to be added back for 9.10.2 (Slated for this Fall, NOV)

#7 Updated by William Grzybowski over 3 years ago

  • Status changed from Unscreened to Screened

#8 Updated by Vaibhav Chauhan about 3 years ago

BRB: we will bringing the NONE TYPE encryption, and it will go into 9.10.2.

#9 Updated by William Grzybowski about 3 years ago

  • Status changed from Screened to 19

#10 Updated by William Grzybowski about 3 years ago

  • Status changed from 19 to Needs Developer Review

#11 Updated by William Grzybowski about 3 years ago

  • Assignee changed from William Grzybowski to Suraj Ravichandran

#12 Updated by Suraj Ravichandran about 3 years ago

  • Assignee changed from Suraj Ravichandran to William Grzybowski
  • % Done changed from 0 to 90

@William I found a bunch of places using the old base ssh and such and have made the appropriate commits as follows:

This one https://github.com/freenas/freenas/commit/fb4153964f60bc49787c95c5429c8f39eaf78863 (which I made to master)

and then further ones which I was not sure of and hence made those commits to a side branch: https://github.com/freenas/freenas/commit/4202373a98a296f6cdf2542cc4fca95b0a0c5b57

I am handing this ticket back to you (as the rest of it is fine) and if you find the fix branch to be sane please merge it back and then set this ticket as reviewed.

#13 Updated by William Grzybowski about 3 years ago

  • Status changed from Needs Developer Review to Reviewed

I have committed portions of your change in sshfixes branch.

#14 Updated by Vaibhav Chauhan about 3 years ago

  • Status changed from Reviewed to Ready For Release

#15 Updated by Dru Lavigne about 2 years ago

  • Status changed from Ready For Release to Resolved

Also available in: Atom PDF