EGD requirement a show stopper for me
Ben Lindstrom
mouring at pconline.com
Thu Feb 3 03:10:17 EST 2000
On Wed, 2 Feb 2000, Dave Dykstra wrote:
> On Tue, Feb 01, 2000 at 03:00:20PM -0800, Gary E. Miller wrote:
[..]
> > The solution to this problem is to add entropy to your PNRG to make
> > it more truly random. That is why openssh wants to use /dev/random
> > or EGD at regular intervals. EGD is to much of a pig and /dev/random
> > requires kernel patching. So I agree with you that porting something
> > like EGD to C is the way to go.
>
> It's not enough to just port EGD to C, it needs to be integrated with
> openssh and very preferably not be a separate process. There's nothing
> inherently wrong with that, is there (ignoring for the moment the amount
> of work it would take)?
>
I think the main consern is if you have 5 clients all with their own
EGD built into OpenSSH. They could all be pulling the same entropy
and all coming up with pretty close to the same random numbers. Enough
that it could be used against the box in question.
<shrug> Or maybe I'm off.. That is what I see at this point. Since
the logic is all the same. And your feeding roughly the same data
into the function. Your going to get common results. Where as a
/dev/random or a single EGD process controls what each client gets
out of the entropy pool therefor the data should (if it's a good
sampling of entropy) be different.
More information about the openssh-unix-dev
mailing list