EGD requirement a show stopper for me
Dave Dykstra
dwd at bell-labs.com
Fri Jan 28 09:33:06 EST 2000
On Thu, Jan 13, 2000 at 17:34:10, Andre Lucas wrote:
> Subject: /dev/urandom
> On Thu, Jan 13, 2000 at 09:24:01AM -0700, SysProg - Nathan Paul Simons wrote:
> > On Thu, 13 Jan 2000, Ben Taylor wrote:
> >
> > > On Thu, 13 Jan 2000, Max Shaposhnikov wrote:
> > > > why ssh1.27 doesn't requre /dev/urandom on solaris?
> >
> > i think the commercial ssh uses a one time generated random
> > seed file. If i remember, it asks you to bang on the keyboard until it
> > gets enough entropy, like PGP. It also might have its own internal code
> > that does the same thing egd or /dev/urandom on linux does.
>
> It works like EGD. In SSH 1.2.27, It hashes the output of various system
> state commands (e.g. ps, ls -alni /tmp, w, netstat) . Check out
> randoms.c .
>
> In SSH 2.0.9, it doesn't run commands (all those fork()s can't have been
> too good for the program's efficiency...) but instead pulls in entropy
> from sources like /dev/random, system clock, getrusage(), etc.
>
> To be honest, the entropy pool doesn't look to be that large, even in
> v2. If your system doesn't have getrusage then (at first glance, ok?)
> looks like they're using the system clock and the saved state as IVs,
> which doesn't seem very random at all. They're getting a less thorough
> stir than with EGD, too.
The memory requirement isn't the worse problem for me: I currently
distribute the ssh 1.2.27 client via a non-root user id *very* widely
throughout my company (on 8 unix variants), and there isn't any reasonable
way for me to start a shared long-running process on every machine that may
run ssh. It's not a problem for the machines that are running sshd, since
that has to run as root anyway, but it is a big problem on machines that
run the ssh client only. I could start a shared processes on the servers
that receive the distribution under my non-root user id, but that doesn't
help for all the workstations that nfs-mount the package from servers.
I need a mechanism like the one used in commercial ssh, where the random
seed is saved in a file.
- Dave Dykstra
More information about the openssh-unix-dev
mailing list