Problem compiling 1.2.2 on solaris
Damien Miller
djm at mindrot.org
Wed Feb 16 07:11:17 EST 2000
On 15 Feb 2000, Morten Eriksen wrote:
> Here's a patch I've written which makes the code fall back on srand()
> and rand() if neither /dev/urandom nor the EGD is available.
>
> Note that this has implications for the security of your ssh/sshd
> installation, and if I've understood the discussion from last week
> correctly, something like this will never actually make it into the
> distribution -- not even only as a last resort fallback.
Please don't use such patches, they completely ruin OpenSSH's
cryptographic security.
The crypto in OpenSSH needs good, hard to predict random numbers. We
prefer that such random numbers come from a range of difficult to
guess sources such as interrupt timings, keystroke and mouse event
times, etc. The free Unices kernel random number pools do a great job
of collecting and aggregating these sources.
EGD is patterned after these designs, but it doesn't have access to
the wide variety of entropy sources that the kernel does. Still, it
uses good algorithms to aggregate the entropy it does collect and
maintains a fairly large pool.
On the other hand, libc's rand functions use a linear congruential
generator to generate their "random" numbers. Such functions are very
simple [r=(a+b)%p;a=r; IIRC] and vary easy to reverse. You probably
wouldn't need to reverse it anyway - most rand() functions only have
32 bits of state and they are usually seeded with the current system
time and/or pid, both of which are available to an attacker.
Work is underway to port Schneier and Kelsey's Yarrow PRNG code from
Windows to a Unix library. When this is done and audited, it will
probably replace EGD in OpenSSH.
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
More information about the openssh-unix-dev
mailing list