Entropy collection in sshd (was Re: Entropy and DSA key)
Ed Phillips
ed at UDel.Edu
Wed Nov 7 04:48:53 EST 2001
On Tue, 6 Nov 2001, Lutz Jaenicke wrote:
> Date: Tue, 6 Nov 2001 18:33:21 +0100
> From: Lutz Jaenicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>
> To: OpenSSH Development <openssh-unix-dev at mindrot.org>
> Subject: Re: Entropy collection in sshd (was Re: Entropy and DSA key)
>
> On Tue, Nov 06, 2001 at 12:18:52PM -0500, Ed Phillips wrote:
> > What I don't understand about the internal entropy collection is why can't
> > sshd just run the commands periodically just like prngd, and keep a
> > running, stirred pool of random numbers to use when a client connects?
> [more text removed]
>
> The problem is not sshd. sshd startup only happens once and it does not
> matter whether it takes 0.5 seconds or 5 seconds; the server will be up
> for hours/days/weeks anyway. (Re-seeding should happen over time.)
>
> The problem is with the client!!! ssh client processes are called by the
> user to log into the server and the response time is an important issue
> here!
I'm not following you... the problem of "it takes 2 freakin minutes to get
logged into my SS1+" is a direct result of entropy collection performed by
sshd. "ssh -v -v -v" show a very long pause, while truss of sshd shows it
running the prng commands. On really slow systems, the commands take
longer that 200 milliseconds to run, so that get timed-out, and that cause
less entropy to be collected, and more commands to be run in sshd.
I'm talking about sshd with the "internal" prng commands - not with
PRNGD...
Thanks,
Ed
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list