New feature: remote entropy gatherer port
Alex Muntada
alexm+openssh at ac.upc.es
Wed Oct 3 06:01:07 EST 2001
[NOTE: I'm new to this list and this is my first
approach to OpenSSH code.]
I've enhanced "--with-prngd-port=PORT" flag to accept an
optional hostname as in "myhost:myport", e.g.:
% ./configure --with-prngd-port=example.com:12345
Although I'm certain that this may cause big trouble if remote
gatherer isn't online (ssh will refuse to open any connection)
I think it's an interesting enhancement, specially if you have an
specialized random gatherer in your local environment.
Imagine a server running egd or prngd feeding from the usual PRNG
shell commands. Then, add to that server some random traffic from
your local network or from other random gatherers like random.org
(e.g. http://random.org/cgi-bin/randbyte?nbytes=128&format=f ),
etc. Thus, all random requesters (OpenSSH, OpenSSL, GnuPG, etc.)
could use the same gatherer and requesters won't need to run all
those PRNG shell commands all the time (I've noticed 10 sec.
delays in some hosts that lack a random device).
I've attached the diff to openssh-2.9.9p2 (the last release I've
seen) and I'm planning to add some sshd_config options to select
PRNGD hostname and port but, first, I'd like to know what you
think about this.
Thanks.
--
Alex Muntada <alexm at ac.upc.es>
http://people.ac.upc.es/alexm/
-------------- next part --------------
*** acconfig.h.orig Thu Sep 20 21:43:41 2001
--- acconfig.h Tue Oct 2 20:25:35 2001
***************
*** 95,100 ****
--- 95,103 ----
/* Location of PRNGD/EGD random number socket */
#undef PRNGD_SOCKET
+ /* Port number of PRNGD/EGD random number host */
+ #undef PRNGD_HOST
+
/* Port number of PRNGD/EGD random number socket */
#undef PRNGD_PORT
*** configure.in.orig Wed Sep 26 00:39:38 2001
--- configure.in Tue Oct 2 20:34:09 2001
***************
*** 1494,1505 ****
]
)
! # Check for PRNGD/EGD pool file
AC_ARG_WITH(prngd-port,
! [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT],
[
if test ! -z "$withval" -a "x$withval" != "xno" ; then
! PRNGD_PORT="$withval"
AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
fi
]
--- 1494,1510 ----
]
)
! # Check for PRNGD/EGD pool port (with remote host support)
AC_ARG_WITH(prngd-port,
! [ --with-prngd-port=[HOST:]PORT read entropy from PRNGD/EGD HOST:PORT (default=localhost:PORT)],
[
if test ! -z "$withval" -a "x$withval" != "xno" ; then
! if test ! -z "$withval" -a "x$withval" != "xno" ; then
! PRNGD_HOST=`echo $withval | sed "s~:.*$~~"`
! AC_DEFINE_UNQUOTED(PRNGD_HOST, "$PRNGD_HOST")
! fi
!
! PRNGD_PORT=`echo $withval | sed "s~^.*:~~"`
AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
fi
]
*** entropy.c.orig Mon Aug 6 08:51:49 2001
--- entropy.c Tue Oct 2 20:39:25 2001
***************
*** 90,95 ****
--- 90,98 ----
int fd;
char msg[2];
#ifdef PRNGD_PORT
+ #ifdef PRNGD_HOST
+ struct hostent *he;
+ #endif
struct sockaddr_in addr;
#else
struct sockaddr_un addr;
***************
*** 101,107 ****
--- 104,120 ----
#ifdef PRNGD_PORT
addr.sin_family = AF_INET;
+ #ifdef PRNGD_HOST
+ he = gethostbyname(PRNGD_HOST);
+ if (he == NULL) {
+ error("Could not get IP address for hostname %s.", PRNGD_HOST);
+ goto done;
+ }
+
+ memcpy(&addr.sin_addr.s_addr, he->h_addr_list[0], sizeof(struct in_addr));
+ #else /* use localhost IP address */
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ #endif
addr.sin_port = htons(PRNGD_PORT);
addr_len = sizeof(struct sockaddr_in);
#else /* use IP socket PRNGD_SOCKET instead */
***************
*** 137,144 ****
--- 150,162 ----
if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) {
#ifdef PRNGD_PORT
+ #ifdef PRNGD_HOST
+ error("Couldn't connect to PRNGD host %s port %d: %s",
+ PRNGD_HOST, PRNGD_PORT, strerror(errno));
+ #else
error("Couldn't connect to PRNGD port %d: %s",
PRNGD_PORT, strerror(errno));
+ #endif
#else
error("Couldn't connect to PRNGD socket \"%s\": %s",
addr.sun_path, strerror(errno));
More information about the openssh-unix-dev
mailing list