ls -alni /var/mail

Damien Miller djm at mindrot.org
Wed Apr 12 23:43:04 EST 2000


On Wed, 12 Apr 2000, Andre Lucas wrote:

> I don't mind helping out here, I suspect I have some code from
> earlier prng efforts that may be of use. Anyone else?

Thanks again.

> Have I read the seedfiles thing correctly? There is one seedfile for
> sshd, and one each per user in the ~/.ssh directory.

Correct.

>  I think that raises a few questions, IIRC similar to those from the
> prng discussion before:
> 
> - How should the sshd seedfile be protected?

1. mode 0600 and some checks to ensure that it is owned by the 
correct user, etc.

2. RAND_add() it with a zero entropy estimate.

The main purpose of the seed file is to offset the problem posed in
your next question.

> - Should we consider the fact that we have multiple programs,
> oblivious to each other, pulling entropy from the same sources?

I agree that this is a problem. Part of the solution is ensuring that
there is a maximally wide variety of entropy sources and part of it
is the random seed mentioned above.

In the absence of kernel hooks to get timings, etc from hardware
events, the best we can do is rely on secondary sources. I don't see
this as much of a step back - EGD does much the same thing.

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)






More information about the openssh-unix-dev mailing list