/dev/urandom

Andre Lucas andre.lucas at dial.pipex.com
Fri Jan 14 04:34:10 EST 2000


On Thu, Jan 13, 2000 at 09:24:01AM -0700, SysProg - Nathan Paul Simons wrote:
> On Thu, 13 Jan 2000, Ben Taylor wrote:
> 
> > On Thu, 13 Jan 2000, Max Shaposhnikov wrote:
> > > why ssh1.27 doesn't requre /dev/urandom on solaris?
> 
> 	i think the commercial ssh uses a one time generated random
> seed file.  If i remember, it asks you to bang on the keyboard until it
> gets enough entropy, like PGP.  It also might have its own internal code
> that does the same thing egd or /dev/urandom on linux does.

It works like EGD. In SSH 1.2.27, It hashes the output of various system
state commands (e.g. ps, ls -alni /tmp, w, netstat) . Check out
randoms.c .

In SSH 2.0.9, it doesn't run commands (all those fork()s can't have been
too good for the program's efficiency...) but instead pulls in entropy
from sources like /dev/random, system clock, getrusage(), etc.

To be honest, the entropy pool doesn't look to be that large, even in
v2. If your system doesn't have getrusage then (at first glance, ok?)
looks like they're using the system clock and the saved state as IVs,
which doesn't seem very random at all. They're getting a less thorough
stir than with EGD, too.

> 
> > > what alternatives exists?
> > 
> > None, that I'm aware of.  I don't do a whole lot with crypto
> > since I'm in the USA. (Legal stuff, and all that, besides
> > I'm *not* a mathematician...) :-)
> > 
> > I suppose that someone could port the /dev/urandom stuff to
> > Solaris.  It would definitely be less memory intensive, I 
> > suspect.
> 

One could also reimplement something like EGD in C rather than Perl. I
think EGD is rather more thorough than the SSH system entropy-based
generator - it doesn't seem to have changed a great deal in v2 - which
is a good thing.

There's not really any extra trust gained in making kernel modules since
they're from a third party, so a user space program is equally
(un)trustworthy, and a lot more likely to be portable.

Regs,
-Andre

> 	Hmm, i wonder how hard it would be to write a kernel module for
> Solaris.  They wrote a module for netatalk that seems to work pretty well,
> but i'm not all too familiar with Solaris internals.
> 
> Systems Programmer - Nathan Paul Simons
> http://www.nmt.edu/~enigma   Speare 20   x5748
> 
> 

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/





More information about the openssh-unix-dev mailing list