Killing the builtin entropy code
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Sat Dec 22 04:48:47 EST 2001
Umm... Unless you are doing Vhost by IP.. OpenSSH has no clue if
you selected mysite.whatever.com vs yoursite.whatever.com if they
have the same IP. Therefor it is silly to add such features.
- Ben
On 21 Dec 2001, Austin Gonyou wrote:
> I like the idea of doing this, and also doing something like mod_ssl for
> apache does?
>
> There is a subsection in httpd.conf that says what to use for entropy,
> and there can be many different types specified. Perhaps the final
> output could be a more configureable openssh with virtual hosts and the
> whole bit? This would allow different types of ciphers, and such to be
> used, but on a per virt host basis?
>
> Is that something that could be potentially bad? Just curious.
>
> On Thu, 2001-12-20 at 19:10, Damien Miller wrote:
> > Over the holidays, I intend to finally rid portable OpenSSH of the
> > builtin entropy collection code. Here's what I intend to do:
> >
> > When init_rng is called, we'll check OpenSSL's RAND_status(). If this
> > indicates that their PRNG is already seeded, we'll do nothing. This
> > effectively detects platforms which have /dev/urandom (or similar)
> > configured into OpenSSL.
> >
> > If OpenSSL isn't seeded, we will fork+suid(user)+exec a subprocess
> > "ssh-rand-helper" which will return 64 bytes of randomness to stdout.
> > This will be used to seed OpenSSL's PRNG. 512 bits should be enough
> > for anyone :)
> >
> > ssh-rand-helper may be a program which fetches randomness from PRNGd,
> > it could be a Yarrow implementation or it could be an adaptation of the
> > current entropy code to run in a one-shot mode. I'll certainly implement
> >
> > a PRNGd ssh-rand-helper, if time permits I'll do one of the others.
> >
> > This takes all the responsability out of OpenSSH for collecting random
> > numbers and allows sites to implement whatever fallbacks they require
> > using wrappers around ssh-rand-helper (which could be shell scripts).
> >
> > Comments?
> >
> > -d
> >
> > --
> > | By convention there is color, \\ Damien Miller <djm at mindrot.org>
> > | By convention sweetness, By convention bitterness, \\ www.mindrot.org
> > | But in reality there are atoms and space - Democritus (c. 400 BCE)
> --
> Austin Gonyou
> Systems Architect, CCNA
> Coremetrics, Inc.
> Phone: 512-698-7250
> email: austin at coremetrics.com
>
> "Have regard for your name, since it will remain for you longer than a
> great store of gold."
> Ecclesiastes, Aprocrypha
>
More information about the openssh-unix-dev
mailing list