Entropy and DSA key
Dan Astoorian
djast at cs.toronto.edu
Tue Nov 6 03:57:00 EST 2001
On Mon, 05 Nov 2001 11:23:51 EST, Ed Phillips writes:
> Is there any way to compile openssh so that it will use prngd, but if it's
> not answering, use the compiled-in prng-like routines?
No supported way, and no way that doesn't involve modifying the source.
I recently asked here whether that feature would be accepted if I wrote
a patch to implement it; the consensus was, for reasons I won't rehash,
that the feature was not desired.
However, assuming you're using OpenSSL 0.9.5 or later, and using Unix
sockets for PRNGD rather than a TCP port, it can be done fairly easily,
by calling OpenSSL's EGD hooks from the internal entropy code instead of
compiling in OpenSSH's PRNGD code.
- In entropy.c, make the following change to the _second_ definition of
seed_rng() (the version which is used by the internal entropy code):
========================================================================
if (!prng_initialised)
fatal("RNG not initialised");
+
+ #define EGD_SOCKET "/path/to/prngd/socket"
+ if (!RAND_status()) {
+ RAND_egd(EGD_SOCKET);
+ }
+ if (RAND_status()) {
+ return;
+ }
/* Make sure some other sigchld handler doesn't reap our entropy */
/* commands */
========================================================================
- Configure openssh *without* PRNGD support.
Use at your own risk.
--
Dan Astoorian People shouldn't think that it's better to have
Sysadmin, CSLab loved and lost than never loved at all. It's
djast at cs.toronto.edu not, it's better to have loved and won. All
www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
More information about the openssh-unix-dev
mailing list