Entropy and DSA key
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Wed Nov 7 08:49:45 EST 2001
On Tue, 6 Nov 2001, Lutz Jaenicke wrote:
> On Tue, Nov 06, 2001 at 01:38:40PM -0600, mouring at etoh.eviladmin.org wrote:
> > I would perfer OpenSSL handle all the entropy behind the scenes. It would
> > make our life easier in the portable group. However it only removes
> > around 1000 lines of code in a 55,000 line project (I'm refering to
> > portable. OpenBSD's ssh tree is 45,000 lines.).
>
> I would not expect this to happen. OpenSSL is used by a lot of security
> relevant applications, many of them running with root permission.
> The OpenSSL library does contact the hardcoded /dev/[u]random location
> and will query some hardcoded locations for a PRNGd/EGD socket.
> I don't think a library should do things beyond this level. I really
> don't want a library to try and run commands (maybe with root permission)
> behind my back.
>
OpenSSL allows you to also state where PRNGd/EGD sockets are via
RAND_egd(). It would be as easy to do RAND_cmd_list(), and require it to
be setup before it was used by the application. It would be no less
secure than PRNGd nor current internal solution.
I agree that it should not try to build and run the stuff automaticly.
Just like I don't believe OpenSSL should try PRNGd/EGD without being told
to.
- Ben
More information about the openssh-unix-dev
mailing list