RFE: Portable OpenSSH

Dave Dykstra dwd at bell-labs.com
Thu Mar 29 04:51:18 EST 2001


On Tue, Mar 27, 2001 at 03:07:40PM -0800, Dan Kaminsky wrote:
...
> Markus, it's an imperfect world.  SSH is built around that presumption.
> I've had a personal rule ever since I started seriously working on tech,
> which was:  Never Make Things Worse.  SSH1 binaries can be thrown almost
> anywhere and, provided they're compiled for that general architecture, will
> work.  We need that, and for the most part, we *have* that.
> 
> Vast external dependancies increase the likelyhood that things will get
> worse, because they increase the likelihood that critical files won't get
> placed in the exact right place, not to mention the likelihood that they
> won't be able to live anywhere else but somewhere root can go.  SSH can
> operate entirely from usermode, and to remove that functionality would be to
> Make Things Worse.


Damien: please, please, please don't remove prng from the ssh client.  It's
introduction is what makes my use of OpenSSH possible.  I widely distribute
the solaris 'ssh' client via a regular user login with no super-user
intervention.  On those systems it will be impossible for me to start a
common prngd so every single user (could be hundreds in some cases) on a
machine will have to have their own long-running prngd.  Most of the
arguments I've seen in this thread in favor of keeping prng support have
focused on the software distribution and installation problem; that's not a
problem for me, but either requiring more work by all the users to start
and keep a prngd daemon running or attempting to automatically keep a
separate daemon running for every user via a front end shell script is
unthinkable.

As for performance, the saving of ~/.ssh/prng_seed between invocations
makes the per-invocation overhead very acceptable.

On the other hand, if sshd required prng it would not be a problem for me
because that is either run by root or by only a few knowledgable users on a
machine.  The best thing for me would be to have the same ssh binary use
a common prngd if it is running on a system and otherwise fall back to prng.

GnuPG supports but does not require an entropy daemon.  SSH1 does not
require an entropy daemon.  Please don't make it a requirement of OpenSSH.

- Dave Dykstra



More information about the openssh-unix-dev mailing list