Problem compiling 1.2.2 on solaris
Niels Provos
provos at citi.umich.edu
Wed Feb 16 13:00:08 EST 2000
In message <51k8k6secr.fsf at trh.sim.no>, Morten Eriksen writes:
>Here's a patch I've written which makes the code fall back on srand()
>and rand() if neither /dev/urandom nor the EGD is available.
>
>Note that this has implications for the security of your ssh/sshd
>installation, and if I've understood the discussion from last week
>correctly, something like this will never actually make it into the
>distribution -- not even only as a last resort fallback.
I am sorry. It seems to me that you understand why using such
a patch is completely wrong. So, why do you post it here? If there
is no way to get good randomness than openssh should terminate.
Your operating system should provide application programs with a source
of randomness. If it doesnt, than it needs to be fixed.
You might want to look into a user provided one-time randomness file.
While not perfect, it is certainly better than using rand().
Niels.
More information about the openssh-unix-dev
mailing list