New feature: remote entropy gatherer port
Damien Miller
djm at mindrot.org
Wed Oct 3 09:03:13 EST 2001
On Tue, 2 Oct 2001, Alex Muntada wrote:
> [NOTE: I'm new to this list and this is my first
> approach to OpenSSH code.]
>
> I've enhanced "--with-prngd-port=PORT" flag to accept an
> optional hostname as in "myhost:myport", e.g.:
>
> % ./configure --with-prngd-port=example.com:12345
You didn't enhance, you broke. This will allow a local eavesdropper to
sniff the entropy on as it crosses your network.
If an attacker can sniif the entropy, they can predict session keys,
new host or user keys that are generated and can even determine
existing DSA keys. This makes the use of SSH worse than useless.
-d
--
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
More information about the openssh-unix-dev
mailing list