Patch to enable multiple possible sources of entropy

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Sun Jun 24 17:19:23 EST 2001 

To let you know I'm not ignoring this.  Damien has code like this already
from the sounds of it.  Just working out minor detials of how to deal with
ssh-keygen, etc which don't read the sshd_config nor ssh_config for the
admin's perfer order of entropy gathering.

- Ben

On Mon, 11 Jun 2001, Dave Dykstra wrote:

> On Sun, Jun 10, 2001 at 10:41:14PM -0400, Michael Stone wrote:
> > On Sun, Jun 10, 2001 at 12:49:18PM -0500, mouring at etoh.eviladmin.org wrote:
> > > Hmm.. my only complaints about the patch is that seed_rng and init_rng are
> > > pretty unreadable due to #ifdef/#end
>
> I could make it a lot more readable by having it always do access() to
> probe for RANDOM_POOOL and PRNGD_SOCKET even if one of them is the only
> choice.  I initially elected to trade off exact compatibility for
> readability, but I'd be happy to change it.  I've included the more
> readable init_rng() below for you to take a look at.  The difference is
> that even if only one of RANDOM_POOL or PRNGD_SOCKET is compiled in, if it
> isn't there the error message will be the more generic
>     Couldn't find source for random number generator seed
> rather than a message about the problem accessing the specific source.  I
> put in some debug level 2 messages to help debugging that case (those are
> good even if you choose to keep the extra ifdefs), and I slightly improved
> the fatal error message.
>
> Also, the ifdefs for PRNGD_SOCKET and USE_BUILTIN_ENTROPY do not really
> need to be in the else case of PRNGD_PORT because configure enforces that
> already, but I think it's more understandable this way.
>
>
>
> > > and that I don't know if I like the
> > > idea of ssh/sshd stepping down in entropy quality on a whim.  Which is
> > > what this patch would do if for some odd reason prngd is offline at
> > > startup of sshd/ssh.
> >
> > What if there were some kind of warning message? We've already seen the
> > obnoxious key-is-1023 message, what's one more?
>
> I don't mind a debug message but I really would not want a warning message
> because that's going to be the normal case on a lot of my systems.  My
> answer is that most likely even if prngd is offline, the PRNGD_SOCKET will
> still exist even though there's no process listening on the other side.  In
> that case, ssh will go ahead into the prngd_get_random_bytes case but get a
> Connection Refused error (this happened during my testing).
>
> Another idea would be to improve the fatal error message by saving some
> information when the access() calls fail rather than just printing debug
> messages.  For example, there could be a variable that points to the error
> message to use if it gets to the fatal condition at the end.  Do you like
> that better?  I don't think that complication is necessary.
>
>
> > Obviously the entropy
> > requirement depends on the application, but there are a lot of machines
> > where I'm far more concerned about not getting in at all (because prngd
> > is busted) than I am about bad entropy in that case. It's no worse than
> > if prngd weren't being used at all, and might make it easier to accept
> > prngd.
>
> Good point.
>
> - Dave Dykstra
>
>
> ------ more readable init_rng() follows ------------------------
>
> void
> init_rng(void)
> {
> 	check_openssl_version();
>
> #ifdef RANDOM_POOL
> 	if (access(RANDOM_POOL, F_OK) == 0) {
> 		seed_source = POOL_SOURCE;
> 		return;
> 	}
> 	else {
> 		debug2("Random pool %s does not exist", RANDOM_POOL);
> 	}
> #endif /* RANDOM_POOL */
>
> /* it's not trivial to probe for an open port so just make it
>  *  take priority over the other sources if it is defined
>  */
> #ifdef PRNGD_PORT
> 	seed_source = PRNGD_SOURCE;
> #else
>
> #ifdef PRNGD_SOCKET
> 	if (access(PRNGD_SOCKET, F_OK) == 0) {
> 		seed_source = PRNGD_SOURCE;
> 		return;
> 	}
> 	else {
> 		debug2("Entropy socket %s does not exist", PRNGD_SOCKET);
> 	}
> #endif /* PRNGD_SOCKET */
>
> #ifdef USE_BUILTIN_ENTROPY
> 	seed_source = BUILTIN_SOURCE;
> 	prng_init_rng();
> #endif
>
> #endif /* PRNGD_PORT */
>
> 	if (seed_source == 0)
> 		fatal("Couldn't find entropy source for random number generator");
> }
>

More information about the openssh-unix-dev mailing list