Variable path to ssh_prng_cmds?
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Wed Apr 11 22:51:46 EST 2001
On Wed, 11 Apr 2001 Armin.Kunaschik at varetis.de wrote:
>
> >You are better off using PRNGd[1] rather than portable OpenSSH's
> >own RNG. It is more secure, reduces your system load and is more
> >configurable.
> I'm not sure if I understand this. I have checked PRNGd out... it uses the
> same scheme (output from various system commands) to get random
> bytes. The should causes the same amount of system load!?
It's less load because it's a long-lived process. Which means it can
gather entropy across ssh/sshd startup and shutdown. Which means you get
higher quality entropy without having the same 15 commands spawned at the
begining of each session.
> I don't know if it's more secure... but the amount of work is higher,
> especially in a heterogenous environment. Therefore I would prefer
> the buildin feature...
> Are there any plans to include the PRNGd functionality into OpenSSH?
>
PRNGd was drived from OpenSSH portable work, but no it will not merge back
into OpenSSH. Sure it is. You can run PRNGd as a normal user if you
wish. And you avoid spawing off random commands as root or as a setuid
user (ssh).
- Ben
More information about the openssh-unix-dev
mailing list