path to find ssh-rand-helper
Ben Lindstrom
mouring at etoh.eviladmin.org
Tue Apr 2 03:44:05 EST 2002
Since ssh-keygen does not read (and should not) the sshd_config nor
ssh_config files. Adding in that ability to the configuration file
is really useless in the larger scheme.
I would personally rather seen a nice clearly documented mini-howto or FAQ
entry explaning how to setup prng or egd w/ OpenSSL. That way
ssh-rand-helper is not ran since OpenSSL can internally sead itself.
ssh-rand-helper should be viewed as your last line of defence on a box
that lacks kernel entropy devices (read: No root access user installing
the ssh client).
On Mon, 1 Apr 2002, Jon Peatfield wrote:
> Before I actually implement the small changes needed to allow the
> location of ssh-rand-helper to be specified in the config file, I'd
> like to check that in doing so I won't be opening up a huge security
> hole.
>
> My brief reading of the code suggests that in entropy.c:seed_rng() the
> ssh-rand-helper is run as the original uid (for binaries which were
> setuid in the first place of course), so I can't spot any obvious
> holes (but I may not be devious enough).
>
> Since almost all the other paths can be overridden in the config (or
> with -o), and the config file location can also be controlled from the
> command line (-F for ssh, -f for sshd), I can't see any good reason
> why the ssh-rand-helper location can't also be...
>
> [ I will then nobble ssh-rand-helper to take the prng_cmds from a
> user-specified source and I'll have a way to give people a small set
> of files to install anywhere (with a helper shell script to specify
> all the paths etc) ]
>
> --
> Jon Peatfield, DAMTP, Computer Officer, University of Cambridge
> Telephone: +44 1223 3 37852 Mail: J.S.Peatfield at damtp.cam.ac.uk
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list