Entropy and DSA key

Dave Dykstra dwd at bell-labs.com
Wed Nov 7 02:54:12 EST 2001 

On Mon, Nov 05, 2001 at 10:40:27AM -0600, mouring at etoh.eviladmin.org wrote:
> On Mon, 5 Nov 2001, Ed Phillips wrote:
> 
> > Is there any way to compile openssh so that it will use prngd, but if it's
> > not answering, use the compiled-in prng-like routines?

In addition to Dan Astoorian's suggestion, you could try my patch which is
in the mailing list archive in a thread beginning at

    http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99193668118573&w=2

It allows you to select any of /dev/random, prngd, or internal entropy
sources and if it can't find one it will go on to the next.



> This has been talked about between Damien and myself, but the more I think
> about it.  The more I don't like the idea.  I'd rather sometime down the
> road make a clean break of our internal entropy system (Yes, Damien, I'm
> changing my tune.. <smile>).  If anything work to allow for a libprng.a
> which could be compiled into OpenSSH if someone so wants internal entropy.
> 
> Yes (as some will argue) it adds another dependancy for those OSes without
> /dev/random, but I think it would be best for everyone in the end.
> 
> Before someone jumps up and starts screaming.  I'm not proposing we
> suddenly drop it.  The proposal is this (not set in stone mind you):
> 
> 3.1 - Make internal entropy --with-* option and not enabled by default.
> Provide warnings at that screen and provide locations to PRNGd.  Warn
> about how it will be removed in a future release.

I don't mind a configure option.

> 3.5 - ? Provide ability to link with a libprngd.a instead of compiling w/
> our internal entropy.

No problem.  I assume libprngd.a would be part of the prngd package then,
not the OpenSSH package, and since you wouldn't have to maintain it, it
would make your life easier.

> 4.0 - ? Remove internal entropy code.

Are you saying you would continue support of libprngd.a?  If so, why not
take out the internal entropy code at the same time you switch to libprngd.a
in 3.5?

I have a very strong need to be able to run openssh binaries on systems
without /dev/random and without system administration privileges.  I
distribute 6 Unix types widely throughout my company using an unprivileged
user id.  I need to compile on the oldest operating system release still in
use for each type (for example, on Solaris it's 2.5.1) and rely on upward
compatibility to allow the same binaries to run everywhere.  On a subset of
the systems the system administrator re-installs the binaries into a
privileged directory, and on those I use prngd, but otherwise my only
recourse is to use the internal entropy collector.  If a /dev/random
exists, I'll use that instead, but I have no way of getting all the
literally thousands of Solaris systems to install the optional package from
Sun.

In fact, the current internal entropy collection code is just barely usable
because it runs a whole lot of programs every time ssh is started.  This is
currently the worst thing about OpenSSH for me.  SSH 1.2.27 does not have
this problem: it only runs the long slow programs the first time, and from
then on it uses the entropy saved in the seed file and adds a small amount
of randomness each time.  I've asked more than once on this mailing list if
there's any crypto reason why OpenSSH does not do that, and nobody has
given any so I assume it's just a matter of not having gotten around to it
and not wanting to have to support more code.  I've never seen any security
warnings about what SSH 1.2.27 does so I presume it is fine.

Dan Astoorian sent me a private email about a month ago saying that he had
communicated with Lutz Janiecke, the author of PRNGD and an OpenSSL
developer, about having a one-shot mode on PRNGD where it can collect all
the entropy and return the random number to stdout and then exit rather
than be long running.  That sounds like a great idea because the code would
then not need to be duplicated in OpenSSH.   The extra fork/exec overhead
would not be noticed compared with all the other programs PRNGD runs,
especially if it only needs to be run the first time you run ssh as I think
it ought.

Even better, what would make the most sense is for OpenSSL to support the
one-shot PRNGD as well as the long running PRNGD.  Then entropy collection
could be completely removed from OpenSSH, there'd be no need for libprngd.a,
and everybody would be happy.  Surely other applications that use OpenSSL
have this exact same problem, and OpenSSL already has support for PRNGD.

Lutz, can you comment?

- Dave Dykstra

More information about the openssh-unix-dev mailing list