Killing the builtin entropy code
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Fri Dec 21 15:06:43 EST 2001
On Thu, 20 Dec 2001, Jim Knoble wrote:
> Circa 2001-Dec-21 12:10:18 +1100 dixit Damien Miller:
[..]
> [...]
>
> : If OpenSSL isn't seeded, we will fork+suid(user)+exec a subprocess
> : "ssh-rand-helper" which will return 64 bytes of randomness to stdout.
> : This will be used to seed OpenSSL's PRNG. 512 bits should be enough
> : for anyone :)
>
> Obviously, we'd only suid(user) for sshd, not for e.g. ssh, ssh-agent,
> or ssh-keygen.
>
Do we? ssh can be setuid. And IIRC the current place we seed the random
number still has root privs. So ssh and sshd could need to drop
prives accordingly.
- Ben
More information about the openssh-unix-dev
mailing list