Bug#457120: openssh-server: subprocess post-installation script returned error exit status 1
On Thu, 20 Dec 2007, Colin Watson wrote:
Where did this "NoneEnabled yes" come from? The openssh packages didn't
put it there; I've double-checked by searching everything back to
version 1:3.6.1p2-9 from September 2003, which is the oldest I have
It is there because you ship a substandard version of ssh that does not
allow the use of "none" encryption. So, at some point, I had to install
a ssh that did support "none" encryption. Encryption and
compression causes major overhead and while it is usually desirable, there
are situations where you need to explicity disable it. And I think I
filled a bug on openssh a long time ago for not including the hpn patches.
SSH can and should be, used to ship massive amounts (many GB) of data over
the network. Some examples are backups and disk imaging:
dd if=/dev/hda1 ... | ssh ... dd of=/dev/hda1
dd if=debian_etch.diskimage | ssh ... dd of=/dev/hda1
cd /; tar cvf - . | ssh ... tar xvf -
dd if=file.iso ... | ssh ... cdrecord ...
ssh ... dd if=file.mpeg | mplayer
HPN makes a HUGE difference, like an order of magnitude.
Plain openssh can slow your 100Mbps or 1Gbps ethernet down to 10Mbps
speeds. HPN is set up so you never use "none" by accident. None is never
negotiated if other protocols are not availible, it is only used if
you explicitly ask for it. And users aren't even allowed to
explicitly ask for it unless the system administator sets "NoneEnabled:
yes". And encryption is still used for authentication. And a warning
message is printed anytime None is used. And HPN makes
other perfomance improvements as well.
I think I was testing it at the time for reimaging disks for a compile
farm and also to back up the hard drive on a used Mac I had purchased.
In the compile farm application, disks are reimaged for every job,
providing not only a secure and stable platform on which to compile but
the ability to compile on dozens of different operating systems and
distributions on the same machine. You can't wait 3 hours for a disk
partition to be reimaged when you are doing it every 10 minutes.
The debian package should really include HPN.
If you aren't going to include HPN, you should at least not crash on
an unknown configuration option used by an important patch.
http://www.psc.edu/networking/projects/hpn-ssh/
HPN was implemented by the Pitsburgh Supercomputing Center and funded by
Cisco, the National Science Foundation, and the National Library of medicine
and is used by NASA, Sun, HP, super computing centers, financial companies, etc.
You could always make two packages:
openssh-stock Stock version of SSH
openssh-enhanced-hpn SSH for High Performance Networking enhancements
and let the system manager decide. Linux is supposed to be about
freedom. But, that is actually more combersome for the system manager
than just shipping with HPN compiled in and "NoneEnabled: No" and
"HPNDisabled: yes".
It is unreasonable to ask the system manager to manually patch and install
openssh on every box to get a decent version that should have been
supplied in the first place only to have it downgraded the next time
apt-get upgrade decides to do an "upgrade". And debian's mechanisms for
protecting a package from upgrade are clunky.
Reply to: