New feature: remote entropy gatherer port

Damien Miller djm at mindrot.org
Wed Oct 3 09:03:13 EST 2001


On Tue, 2 Oct 2001, Alex Muntada wrote:

> 	[NOTE: I'm new to this list and this is my first
> 	approach to OpenSSH code.]
> 
> I've enhanced "--with-prngd-port=PORT" flag to accept an
> optional hostname as in "myhost:myport", e.g.:
> 
>   % ./configure --with-prngd-port=example.com:12345

You didn't enhance, you broke. This will allow a local eavesdropper to
sniff the entropy on as it crosses your network.

If an attacker can sniif the entropy, they can predict session keys,
new host or user keys that are generated and can even determine
existing DSA keys. This makes the use of SSH worse than useless.

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's 
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer





More information about the openssh-unix-dev mailing list