OpenSSH (portable) and entropy gathering

Dave Dykstra dwd at
Wed Oct 3 06:29:20 EST 2001

On Fri, Sep 28, 2001 at 10:13:50AM -0400, Dan Astoorian wrote:
> On Thu, 27 Sep 2001 20:41:05 EDT, Damien Miller writes:
> > On Thu, 27 Sep 2001, Dan Astoorian wrote:
> > 
> > > 
> > > It would (IMHO) be useful if there were a way to optionally configure
> > > that code to fall back to the internal entropy gathering routines in the
> > > event that EGD was not available; as it is, the routines simply fail if
> > > EGD is unavailable at the time the ssh daemon or client is invoked.
> > > 
> > > Is this a feature the OpenSSH Portability Team would consider
> > > worthwhile?
> > 
> > Probably not - in fact we want to deprecate the built in entropy 
> > collection in favor of the use of a daemon or subprocess.
> I can understand that desire, and I don't mean to be argumentative, but
> I'm looking at it from the standpoint of a sysadmin.  Right now, my
> systems use the internal entropy gathering.  I _want_ to move to PRNGD.
> However, I don't want my systems to stop working entirely if PRNGD isn't
> running or if its socket gets clobbered.  For instance, I need the
> ability to run ssh *clients* from the console in single-user mode,
> before PRNGD has started up.
> By not having an option to fall back, it's making it more difficult to
> justify the case for installing PRNGD, because functionality takes
> precedence over efficiency.
> I don't see a downside to having a configure-time option (off by
> default) like "--with-entropy-fallback" to use the built-in code if (and
> only if) the daemon were unreachable, unless the OpenSSH Portability
> Team considers it better to fail completely than to use the deprecated
> code.
> Am I missing something?
> I'd be willing to code the change.

I submitted a patch to allow all sources of entropy to be selected at 
runtime.  Thread begins at

It works by allowing you to specify multiple sources of entropy at
configure time, and choosing between them all at runtime.

I haven't updated it to 2.9.9p2 yet, I'll post it again when I do.
The last response from Ben was that it probably wouldn't get in until
after 3.0.

- Dave Dykstra

More information about the openssh-unix-dev mailing list