[Bug 13] Need faster ssh startup when no /dev/random or prngd available

[Dave Dykstra]

On Wed, Dec 12, 2001 at 11:46:43AM +1100, bugzilla-daemon at mindrot.org wrote:
> http://bugzilla.mindrot.org/show_bug.cgi?id=13
> 
> djm at mindrot.org changed:
> 
>            What    |Removed                     |Added
> ----------------------------------------------------------------------------
>            Severity|normal                      |enhancement
> 
> 
> 
> ------- Additional Comments From djm at mindrot.org  2001-12-12 11:46 -------
> I don't like this - you could easily end up in a situation where you end up
> using  essentially the same seed over and over again.


I put the following response into bugzilla, but for some reason it
didn't send email to anybody:




------- Additional Comments From Dave Dykstra 2001-12-13 01:31 -------

No, that's not true, because every startup still adds small amounts of easily
gathered entropy.  You could argue that that means people could guess all the
possibilities and try them all, but they can't because they do not know the
contents of the seed file which was originally generated from a large amount
of entropy.  The only added risk is that somebody may get hold of the seed
file, but if the ~/.ssh directory is not secured someone could easily break
in anyway so I maintain that it doesn't add any more overall risk.  There is
no way for someone to guess the contents of the seed file by examining network
traffic because the psuedo-random number generation process is not reversible.
As an added protection, the seed file is re-written with additional entropy
mixed in each time ssh is run.

You don't have to rely on just my arguments, either: the SSH 1.2.* series did
this and there was never any CERT advisories nor complaints from crypto experts
about it, and pointing out SSH weaknesses have brought fame to many of them
so I'm sure that if there was a weakness here you would have heard about it.
Also, GnuPG does essentially the same thing on systems that don't have
/dev/random.