RFE: Portable OpenSSH
Dave Dykstra
dwd at bell-labs.com
Thu Mar 29 04:51:18 EST 2001
On Tue, Mar 27, 2001 at 03:07:40PM -0800, Dan Kaminsky wrote:
...
> Markus, it's an imperfect world. SSH is built around that presumption.
> I've had a personal rule ever since I started seriously working on tech,
> which was: Never Make Things Worse. SSH1 binaries can be thrown almost
> anywhere and, provided they're compiled for that general architecture, will
> work. We need that, and for the most part, we *have* that.
>
> Vast external dependancies increase the likelyhood that things will get
> worse, because they increase the likelihood that critical files won't get
> placed in the exact right place, not to mention the likelihood that they
> won't be able to live anywhere else but somewhere root can go. SSH can
> operate entirely from usermode, and to remove that functionality would be to
> Make Things Worse.
Damien: please, please, please don't remove prng from the ssh client. It's
introduction is what makes my use of OpenSSH possible. I widely distribute
the solaris 'ssh' client via a regular user login with no super-user
intervention. On those systems it will be impossible for me to start a
common prngd so every single user (could be hundreds in some cases) on a
machine will have to have their own long-running prngd. Most of the
arguments I've seen in this thread in favor of keeping prng support have
focused on the software distribution and installation problem; that's not a
problem for me, but either requiring more work by all the users to start
and keep a prngd daemon running or attempting to automatically keep a
separate daemon running for every user via a front end shell script is
unthinkable.
As for performance, the saving of ~/.ssh/prng_seed between invocations
makes the per-invocation overhead very acceptable.
On the other hand, if sshd required prng it would not be a problem for me
because that is either run by root or by only a few knowledgable users on a
machine. The best thing for me would be to have the same ssh binary use
a common prngd if it is running on a system and otherwise fall back to prng.
GnuPG supports but does not require an entropy daemon. SSH1 does not
require an entropy daemon. Please don't make it a requirement of OpenSSH.
- Dave Dykstra
More information about the openssh-unix-dev
mailing list