openssh / prngd unresolved bug since 2002, need help

Ben Lindstrom mouring at eviladmin.org
Sat Jul 12 05:57:34 EST 2008 

Under high number of connections if prngd is holding up the connection 
becoming authenticated you may be hitting your "MaxStartups" value.

$ man sshd_config
[..]
      MaxStartups
              Specifies the maximum number of concurrent unauthenticated 
con-
              nections to the SSH daemon.  Additional connections will be
              dropped until authentication succeeds or the LoginGraceTime 
ex-
              pires for a connection.  The default is 10.
[..]

As a work around (not suggesting this is an end-all solution) could be to 
bump that number to 20, and see if the problem becomes less frequent.

If this does improve your life then one has to figure out a better way to 
get entropy.  I suspect you are running too low to effectly pass good 
random data to sshd to use.

If you are on Solaris 9.. You should have a /dev/[u]random and you 
shouldn't need prngd (or am I thinking Solaris 10?).

- Ben

On Fri, 11 Jul 2008, David Beecher wrote:

> Hello,
>
> I apologize if this is the wrong list. It was the list I was directed
> towards. I have reviewed the archives as well as everything I could
> google before posting. Any help is most appreciated:
>
> We're seeing an error during sftp and ssh connections with consistent
> regularity. It's triggered by a high number of connections coming into
> sftp/ssh at the same time. It affects additional connections and leaves
> the failed connect attempts open for days in a TCP_WAIT state. We're
> seeing the error in the system logs:
>
> openssh session hanging - prngd[671]: write() in socket_write() failed:
> Broken pipe
>
> This appears to be an issue that has been an unresolved  problem with
> prngd since 2002.  Some have attributed the problem to prngd version
> 0.9.26 (2004) but we are seeing it with version 0.9.25 (30 May 2002) as
> have others that we've seen on the web.
>
> The problem appears to be (we are quoting here):
>
> -- snip --
>  When lots of processes query entropy at the same time, the "fairness"
>  change introduced in 0.9.25 could lead to clients being only served with
>  a delay.
>  Reason: in serverloop.c the next client to serv is "i1" as determined from
>    i1 = (prev_location + i) % max_query_old;
>  The client that actually was served however was "i" instead of "i1".
>  If the connection of "i" was not yet ready for "write" state set after
>  getting the entropy, it might block.
>  This problem has not been reported by any other user, though it might also
>  have occured at other sites.
>  Depending on the internal sorting of sockets by fd/slot (number increasing
>  in the sequence of accepted connections, closed connections are
>  removed from the list), connections might appear locked.
>  The entropy served was not provided in the sequence intended. The
>  entropy bytes returned via internal buffer however were consistent
>  with the connection served (buffer[i]) was filled correctly for
>  connection[i]. The problem therefore has no impact on the quality
>  of seeding.
> -- snap --
>
> It appears that the latest version of prngd for sunos is 0.9.25 up
> through solaris 9.
>
> The sourceforge for prngd (http://sourceforge.net/projects/prngd/) is
> alive but does not appear to be active. I'm going to contact them, has
> anybody else found a eliable solution or a newer version of prngd for
> sunos 5.8 that does not have this issue.
>
> We have not received any response from the prngd group on sourceforge.
>
> Thank you in advance for any/all help,
> David
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list