Entropy and DSA key

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Tue Nov 6 03:40:27 EST 2001


This has been talked about between Damien and myself, but the more I think
about it.  The more I don't like the idea.  I'd rather sometime down the
road make a clean break of our internal entropy system (Yes, Damien, I'm
changing my tune.. <smile>).  If anything work to allow for a libprng.a
which could be compiled into OpenSSH if someone so wants internal entropy.

Yes (as some will argue) it adds another dependancy for those OSes without
/dev/random, but I think it would be best for everyone in the end.

Before someone jumps up and starts screaming.  I'm not proposing we
suddenly drop it.  The proposal is this (not set in stone mind you):

3.1 - Make internal entropy --with-* option and not enabled by default.
Provide warnings at that screen and provide locations to PRNGd.  Warn
about how it will be removed in a future release.

3.5 - ? Provide ability to link with a libprngd.a instead of compiling w/
our internal entropy.

4.0 - ? Remove internal entropy code.

Out of interest does ANYONE use egd.pl any more?!

- Ben

On Mon, 5 Nov 2001, Ed Phillips wrote:

> Is there any way to compile openssh so that it will use prngd, but if it's
> not answering, use the compiled-in prng-like routines?
>
> Thanks,
>
> 	Ed
>
> On Mon, 5 Nov 2001 mouring at etoh.eviladmin.org wrote:
>
> > Date: Mon, 5 Nov 2001 09:59:30 -0600 (CST)
> > From: mouring at etoh.eviladmin.org
> > To: Damien Miller <djm at mindrot.org>
> > Cc: Laurent Papier <papier at sdv.fr>, openssh-unix-dev at mindrot.org, ed at UDel.Edu
> > Subject: Re: Entropy and DSA key
> >
> >
> > Maybe we should have set internal entropy to --with-internal-entropy at
> > the 3.0  instead of having it default.  (Thus having ./configure failure
> > if it does not find entropy)
> >
> > I think most people will ignore messages if ./configure success.
> >
> > - Ben
> >
> > On Tue, 6 Nov 2001, Damien Miller wrote:
> >
> > > On Mon, 5 Nov 2001, Laurent Papier wrote:
> > >
> > > > > No, you should adjust ssh_prng_cmds to gather more entropy or pester your
> > > > > OS vendor for /dev/random.
> > > >
> > > > We have the exact same problem here on AIX 3.x. We now use prngd and this
> > > > completly solve the problem.
> > >
> > > Short of pursuading your OS vendor to give you a /dev/random, using
> > > PRNGd is the best approach. IMO the built-in entropy code should
> > > really be a last resort.
> > >
> > > -d
> > >
> > > --
> > > | By convention there is color,       \\ Damien Miller <djm at mindrot.org>
> > > | By convention sweetness, By convention bitterness, \\ www.mindrot.org
> > > | But in reality there are atoms and space - Democritus (c. 400 BCE)
> > >
> > >
> >
>
> Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> Systems Programmer III, Network and Systems Services
> finger -l ed at polycut.nss.udel.edu for PGP public key
>
>





More information about the openssh-unix-dev mailing list