Bug#457120: openssh-server: subprocess post-installation script returned error exit status 1

[Mark Whitis <whitis@freelabs.com>]

On Thu, 20 Dec 2007, Colin Watson wrote:
> Where did this "NoneEnabled yes" come from? The openssh packages didn't
> put it there; I've double-checked by searching everything back to
> version 1:3.6.1p2-9 from September 2003, which is the oldest I have

It is there because you ship a substandard version of ssh that does not 
allow the use of "none" encryption.    So, at some point, I had to install 
a ssh that did support "none" encryption.    Encryption and 
compression causes major overhead and while it is usually desirable, there 
are situations where you need to explicity disable it.   And I think I 
filled a bug on openssh a long time ago for not including the hpn patches.

SSH can and should be, used to ship massive amounts (many GB) of data over 
the network.   Some examples are backups and disk imaging:

   dd if=/dev/hda1 ... | ssh ... dd of=/dev/hda1
   dd if=debian_etch.diskimage | ssh ... dd of=/dev/hda1
   cd /; tar cvf - . | ssh ... tar xvf -
   dd if=file.iso ... | ssh ... cdrecord ...
   ssh ... dd if=file.mpeg | mplayer

HPN makes a HUGE difference, like an order of magnitude.
Plain openssh can slow your 100Mbps or 1Gbps ethernet down to 10Mbps 
speeds.  HPN is set up so you never use "none" by accident.   None is never 
negotiated if other protocols are not availible, it is only used if
you explicitly ask for it.   And users aren't even allowed to
explicitly ask for it unless the system administator sets "NoneEnabled: 
yes".  And encryption is still used for authentication.  And a warning 
message is printed anytime None is used.  And HPN makes 
other  perfomance improvements as well.

I think I was testing it at the time for reimaging disks for a compile 
farm  and also to back up the hard drive on a used Mac I had purchased.
In the compile farm application, disks are reimaged for every job, 
providing not only a secure and stable platform on which to compile but
the ability to compile on dozens of different operating systems and 
distributions on the same machine.   You can't wait 3 hours for a disk
partition to be reimaged when you are doing it every 10 minutes.

The debian package should really include HPN.
If you aren't going to include HPN, you should at least not crash on
an unknown configuration option used by an important patch.

http://www.psc.edu/networking/projects/hpn-ssh/

HPN was implemented by the Pitsburgh Supercomputing Center and funded by 
Cisco, the National Science Foundation, and the National Library of medicine
and is used by NASA, Sun, HP, super computing centers, financial companies, etc.

You could always make two packages:
  openssh-stock   Stock version of SSH
  openssh-enhanced-hpn  SSH for High Performance Networking enhancements
and let the system manager decide.   Linux is supposed to be about 
freedom.    But, that is actually more combersome for the system manager
than just shipping with HPN compiled in and "NoneEnabled: No" and 
"HPNDisabled: yes".

It is unreasonable to ask the system manager to manually patch and install 
openssh on every box to get a decent version that should have been 
supplied in the first place only to have it downgraded the next time
apt-get upgrade decides to do an "upgrade".    And debian's mechanisms for
protecting a package from upgrade are clunky.