New feature: remote entropy gatherer port

Damien Miller djm at
Wed Oct 3 09:03:13 EST 2001

On Tue, 2 Oct 2001, Alex Muntada wrote:

> 	[NOTE: I'm new to this list and this is my first
> 	approach to OpenSSH code.]
> I've enhanced "--with-prngd-port=PORT" flag to accept an
> optional hostname as in "myhost:myport", e.g.:
>   % ./configure

You didn't enhance, you broke. This will allow a local eavesdropper to
sniff the entropy on as it crosses your network.

If an attacker can sniif the entropy, they can predict session keys,
new host or user keys that are generated and can even determine
existing DSA keys. This makes the use of SSH worse than useless.


| Damien Miller <djm at> \ ``E-mail attachments are the poor man's 
|          /   distributed filesystem'' - Dan Geer

More information about the openssh-unix-dev mailing list