EGD requirement a show stopper for me
Dave Dykstra
dwd at bell-labs.com
Thu Feb 3 07:57:08 EST 2000
On Wed, Feb 02, 2000 at 12:12:08PM -0800, Gary E. Miller wrote:
> > I don't get why SSH 1.2.27 can do without /dev/random and EGD and yet
> > there's been no CERT advisories saying that that part of SSH is insecure.
> If you check the file randoms.c in the ssh 1.2.27 source you
> will see how they do it. They pull in entropy from not only /dev/random
> if it is available, but from a lot of other sources. Sources like:
> ps laxww
> ps -al
> ls -alni /tmp/.
> w
> netstat -s
> netstat -an
> netstat -in
>
> As you can see, ssh is pretty paranoid about having a good random
> seed.
Note that random_acquire_environmental_noise() is only called if there is
no seed file. After that they frequently mix the seed file with
random_acquire_light_environmental_noise(). OpenSSH could do something
like that and avoid a separate process.
- Dave Dykstra
More information about the openssh-unix-dev
mailing list