RFE: Portable OpenSSH

Jim Knoble jmknoble at jmknoble.cx
Wed Mar 28 13:44:18 EST 2001


Circa 2001-Mar-27 17:58:27 -0800 dixit Dan Kaminsky:

: Reasonable argument for the downgrade.  Unreasonable for the upgrade--I
: shouldn't need to recompile all the apps on a machine just because I got a
: better source of entropy.
: 
: The *only* time compile time checks are superior is when you're trying to
: avoid including a library you do not possess.  All other times, its better
: to not have to recompile.

I voice disagreement.  Adding the complex logic to the program makes it
more difficult to audit and maintain, which could affect the security
of the program.

If you want adaptive behavior, how about adding to prngd the ability to
get randomness from /dev/random, rather than adding complexity to the
already quite complex ssh system?  That's a much more modular solution
which everyone on the system who needs a PRNG can use.

-- 
jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/



More information about the openssh-unix-dev mailing list