Entropy collection in sshd (was Re: Entropy and DSA key)

Ed Phillips ed at UDel.Edu
Wed Nov 7 05:23:38 EST 2001


On Tue, 6 Nov 2001, Darren J Moffat wrote:

> Date: Tue, 06 Nov 2001 09:50:37 -0800
> From: Darren J Moffat <Darren.Moffat at Sun.COM>
> To: Lutz Jaenicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>
> Cc: OpenSSH Development <openssh-unix-dev at mindrot.org>
> Subject: Re: Entropy collection in sshd (was Re: Entropy and DSA key)
>
>
>
> Lutz Jaenicke wrote:
>
> > The problem is not sshd. sshd startup only happens once and it does not
> > matter whether it takes 0.5 seconds or 5 seconds; the server will be up
> > for hours/days/weeks anyway. (Re-seeding should happen over time.)
>
>
> Startup time is important, both for the master listening daemon and
> for the children it forks to handle connections.
>
> It might not matter to you but on servers that have uptime guarantees
> specified in the fractions of a percent very little second on a reboot
> counts.
>
> 5 seconds on a test machine could translate into 30 on a production
> machine or older hardware.
>
> I'm infavour of removing all entropy gathering code from OpenSSH,
> including the use of arc4random and the private pool it keeps. I would
> much rather see /dev/urandom used directly each time. I have
> profiled this on Solaris and there wasn't a noticable difference in
> performance for time spent reading /dev/urandom verses using arc4random.
> What I did was open /dev/urandom the first time it was needed and leave
> it open for the duration but just read the requested number of bytes
> from it each time.  Doing this has the side effect that rc4 can be
> removed from the list of required crypto algorithms.

No difference?  Between "internal" entropy collection and /dev/urandom?
I'm not following...

By the way, can you direct me to distributions of /dev/urandom for Sol2.3,
Sol2.5, Sol2.5.1, Sol2.6, Sol7 and Sol8?

I'd gladly switch to /dev/urandom if all of our Sun systems could run
it... especially the Sol2.3 IPCs that we still have hanging around in
production... ;-)

Thanks!

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key




More information about the openssh-unix-dev mailing list