OpenSSH (portable) and entropy gathering

Dan Astoorian djast at cs.toronto.edu
Sat Sep 29 00:13:50 EST 2001


On Thu, 27 Sep 2001 20:41:05 EDT, Damien Miller writes:
> On Thu, 27 Sep 2001, Dan Astoorian wrote:
> 
> > 
> > It would (IMHO) be useful if there were a way to optionally configure
> > that code to fall back to the internal entropy gathering routines in the
> > event that EGD was not available; as it is, the routines simply fail if
> > EGD is unavailable at the time the ssh daemon or client is invoked.
> > 
> > Is this a feature the OpenSSH Portability Team would consider
> > worthwhile?
> 
> Probably not - in fact we want to deprecate the built in entropy 
> collection in favor of the use of a daemon or subprocess.

I can understand that desire, and I don't mean to be argumentative, but
I'm looking at it from the standpoint of a sysadmin.  Right now, my
systems use the internal entropy gathering.  I _want_ to move to PRNGD.
However, I don't want my systems to stop working entirely if PRNGD isn't
running or if its socket gets clobbered.  For instance, I need the
ability to run ssh *clients* from the console in single-user mode,
before PRNGD has started up.

By not having an option to fall back, it's making it more difficult to
justify the case for installing PRNGD, because functionality takes
precedence over efficiency.

I don't see a downside to having a configure-time option (off by
default) like "--with-entropy-fallback" to use the built-in code if (and
only if) the daemon were unreachable, unless the OpenSSH Portability
Team considers it better to fail completely than to use the deprecated
code.

Am I missing something?

I'd be willing to code the change.

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican



More information about the openssh-unix-dev mailing list