sunos 4.1.4 Makefile and regex.[ch] fix

Loomis, Rip GILBERT.R.LOOMIS at saic.com
Fri Dec 8 07:52:49 EST 2000


Hmmm...
I've got at least one box here that
has a similar problem (where doing
an ls of e.g. /var/log just gets the
same non-varying answer) since
/var/log/ is a symlink to /u1/newvarlog
to make up for a poor choice by
a long-ago sysadmin.

I'm not sure whether the built-in
entropy gathering notices that a
particular command is a poor source of
entropy.  One solution is to have
the ls be an "ls -alni /var/log/*" rather
than /var/log, since /var/log/* will
produce useful output even if /var/log
is a symlink.

Is there any disadvantage that I'm unaware
of to making this change to each of the
ls lines in ssh_prng_cmds? Obviously
/dev/random is a better thing in general,
but...

Rip Loomis		Voice Number: (410) 953-6874
--------------------------------------------------------
Senior Security Engineer
Center for Information Security Technology
Science Applications International Corporation
http://www.cist.saic.com


> -----Original Message-----
> From: Ishikawa [mailto:ishikawa at yk.rim.or.jp]
> Sent: Thursday, December 07, 2000 11:50 AM
[[SNIP]]
> At the office, there is an old ss5 box running sunos 4.1.4.
> I have configured openssh using gcc on this machine.
> 
> In doing so, I found a few compilation and configuration problems.
[[SNIP]]
> This may be serious since the problem described here may apply to
> wider installation base.
> Since SunOS 4.1.4 doesn't have (u)random devices, the sshd and ssh
> resort to a shell script installed in /usr/local/etc to 
> gather entropy for
> pseudo random number generation.
[[SNIP]]
> 
> Unfortunately, on SunOS, many ls commands in the scripts probably
> return the same data (just a symlink name with the same time stamp
> over and over. It won't descend into the target directory.)
> and won't add to entropy much.
> 
> I wonder if someone can figure out a way to
> modify the directory entries in the script so that
> the target of the symlinks are placed in the
> installed copy instead of the original symlink names.
> 
> I manually modified the script, but wonder if automatic way
> is better. Definitely yes, but I am not sure how to go about it.





More information about the openssh-unix-dev mailing list