getting OpenSSH/OpenSSL to utilize /dev/random
Ed Phillips
ed at UDel.Edu
Fri Apr 12 03:02:11 EST 2002
On Thu, 11 Apr 2002, Lacoss-Arnold, Jason wrote:
> Date: Thu, 11 Apr 2002 09:10:48 -0500
> From: "Lacoss-Arnold, Jason" <Jason.Lacoss-Arnold at AGEDWARDS.com>
> To: "'openssh-unix-dev at mindrot.org'" <openssh-unix-dev at mindrot.org>
> Subject: getting OpenSSH/OpenSSL to utilize /dev/random
>
> I've installed Sun's SUNWski package on Solaris 8 (32-bit) that provides a
> /dev/random interface. It appears to as cat'ing it gives me a bunch of
> well, random data.
>
> However, when I ran my configure, it gives me the WARNING.RND message to the
> effect that I'm using the built-in. I've seen allusions on this list to
> building openssl with to get random support, so I rebuilt it and then rerun
> configure for openssh. No changes. OpenSSL made references to a RANDFILE
> environment variable, so I set it, reconfigured and built openssl, then
> reconfigured openssh. I'm still getting the message that I have built-in
> random source.
>
> What gives? What do I have to do to get openssh or openssl to see my
> /dev/random?
I had a similar problem. The key is that you don't have to build OpenSSL
0.9.6c in any special way to get /dev/urandom support (on Solaris 8 at
least) - it appears to try to use it if it's there at run-time (when
OpenSSH is compiled on any Unix system). As a matter of fact, there
doesn't appear to be any user-configurable options at all for /dev/urandom
support in OpenSSL. In e_os.h, DEVRANDOM is set to "/dev/urandom" and in
crypto/rand/rand_win.c, if you're not compiling on Win32, there is code in
RAND_poll() that calls open(DEVRANDOM...).
So, the real trick to be rid of the OpenSSH internal entropy stuff and use
only /dev/urandom is to configure OpenSSH with "--with-rand-helper=no"
and there will be no warning about how you've configured OpenSSH to use
the random helper stuff.
Hope this helps...
Ed
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list