RFE: Portable OpenSSH

Dan Kaminsky dankamin at cisco.com
Wed Mar 28 07:10:20 EST 2001

> Yep.  I've had trouble convincing people it's superior simply because it
> takes more stuff.

Tell me about it.

> Here's a really bad idea that might get people thinking of better
> along this line:
> Why not include PRNGd source with OpenSSH, install it, and if sshd
> fails to get any entropy, start PRNGd and try again?  It doesn't
> work for client-only ssh usage (though if the ssh command is setuid,
> it could, but that's probably a really bad idea for other reasons).

Source dependancy.  I dont put compilers on production machines if I can
avoid it.  prngd source *should* be included, incidentally, or else people
can't use SSHD if prngd ever disappears / is forgotten to be downloaded.

You still have the problem of lots of people running long-lasting daemons
that hammer the kernel trying to tweak entropy out of it, or lots of people
depending on root (do we make sure its root or same-user owned socket?) to
create an entropy source.

I like the functionality.  I just can't depend on it, especially when I
don't need to.  SSH needs to just work--that's one of its primary missions.

Yours Truly,

    Dan Kaminsky, CISSP

More information about the openssh-unix-dev mailing list