RFE: Portable OpenSSH

Dan Kaminsky dankamin at cisco.com
Wed Mar 28 11:58:27 EST 2001

> OpenSSH grabs it every time it runs, with a daemon you have to opportunity
> to take advantage of its long lifespan and spead the collection over a
> longer time period. This results in fewer load spikes and better quality
> entropy.

A definite advantage.  Clearly the right way to do it.

Once security is handled, compatibility trumps performance.  Remember--SSH
is not the fastest crypto solution, but it sure is the most compatible.

> You need to build different packages for different system environments.
> I see this as no different to systems which have libc differing in
> major number.

Reasonable argument for the downgrade.  Unreasonable for the upgrade--I
shouldn't need to recompile all the apps on a machine just because I got a
better source of entropy.

The *only* time compile time checks are superior is when you're trying to
avoid including a library you do not possess.  All other times, its better
to not have to recompile.

> I don't see why mandating it is a problem. It is a _one off_ installation
> which may be used by more than OpenSSH (OpenSSL supports it too, as does
> postfix-tls, as does GPG).

prngd will be useful for alot of things.  It's good software, I'm happy it
exists.  Depending on it, however, violates "Don't Make It Worse".  We want
to encourage people to use a faster entropy source, not discourage them from
using our software at all.

Yours Truly,

    Dan Kaminsky, CISSP

More information about the openssh-unix-dev mailing list