path to find ssh-rand-helper

Ben Lindstrom mouring at etoh.eviladmin.org
Tue Apr 2 03:44:05 EST 2002


Since ssh-keygen does not read (and should not) the sshd_config nor
ssh_config files.  Adding in that ability to the configuration file
is really useless in the larger scheme.

I would personally rather seen a nice clearly documented mini-howto or FAQ
entry explaning how to setup prng or egd w/ OpenSSL.  That way
ssh-rand-helper is not ran since OpenSSL can internally sead itself.

ssh-rand-helper should be viewed as your last line of defence on a box
that lacks kernel entropy devices (read: No root access user installing
the ssh client).

On Mon, 1 Apr 2002, Jon Peatfield wrote:

> Before I actually implement the small changes needed to allow the
> location of ssh-rand-helper to be specified in the config file, I'd
> like to check that in doing so I won't be opening up a huge security
> hole.
>
> My brief reading of the code suggests that in entropy.c:seed_rng() the
> ssh-rand-helper is run as the original uid (for binaries which were
> setuid in the first place of course), so I can't spot any obvious
> holes (but I may not be devious enough).
>
> Since almost all the other paths can be overridden in the config (or
> with -o), and the config file location can also be controlled from the
> command line (-F for ssh, -f for sshd), I can't see any good reason
> why the ssh-rand-helper location can't also be...
>
> [ I will then nobble ssh-rand-helper to take the prng_cmds from a
> user-specified source and I'll have a way to give people a small set
> of files to install anywhere (with a helper shell script to specify
> all the paths etc) ]
>
> --
> Jon Peatfield,  DAMTP,  Computer Officer,   University of Cambridge
> Telephone: +44 1223  3 37852    Mail: J.S.Peatfield at damtp.cam.ac.uk
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list