RFE: Portable OpenSSH
Dan Kaminsky
dankamin at cisco.com
Wed Mar 28 07:10:20 EST 2001
> Yep. I've had trouble convincing people it's superior simply because it
> takes more stuff.
Tell me about it.
> Here's a really bad idea that might get people thinking of better
solutions
> along this line:
>
> Why not include PRNGd source with OpenSSH, install it, and if sshd
> fails to get any entropy, start PRNGd and try again? It doesn't
> work for client-only ssh usage (though if the ssh command is setuid,
> it could, but that's probably a really bad idea for other reasons).
Source dependancy. I dont put compilers on production machines if I can
avoid it. prngd source *should* be included, incidentally, or else people
can't use SSHD if prngd ever disappears / is forgotten to be downloaded.
You still have the problem of lots of people running long-lasting daemons
that hammer the kernel trying to tweak entropy out of it, or lots of people
depending on root (do we make sure its root or same-user owned socket?) to
create an entropy source.
I like the functionality. I just can't depend on it, especially when I
don't need to. SSH needs to just work--that's one of its primary missions.
Yours Truly,
Dan Kaminsky, CISSP
More information about the openssh-unix-dev
mailing list