openssh / prngd unresolved bug since 2002, need help

David Beecher dbeecher at dmsgs.com
Sat Jul 12 06:10:21 EST 2008


Thankyou.

I already did that and any variation of that.  Does not help.  We found 
that if we connected more slowly to the sshd server daemon that the 
problem would not happen.  After a lot of digging, ruling out firewall, 
network, etc., we finally figured out the source of the bug -- prngd -- 
and how it does entropy.  Under high demand it fails.  This is a known 
specific bug with prngd that has never been resolved and those that have 
run into the problem never effectively troubleshot it.  They just 
figured a different way out or gave up.  Neither of those is an option 
here. 

This error was specifically introduced in prngd in the .25 version and 
has never been fixed. 

I contacted this list because I had no response from the 
sourceforge/prngd "project".

Very much appreciate your help.

Thank you,
David


Ben Lindstrom wrote:
>
> Under high number of connections if prngd is holding up the connection 
> becoming authenticated you may be hitting your "MaxStartups" value.
>
> $ man sshd_config
> [..]
>      MaxStartups
>              Specifies the maximum number of concurrent 
> unauthenticated con-
>              nections to the SSH daemon.  Additional connections will be
>              dropped until authentication succeeds or the 
> LoginGraceTime ex-
>              pires for a connection.  The default is 10.
> [..]
>
> As a work around (not suggesting this is an end-all solution) could be 
> to bump that number to 20, and see if the problem becomes less frequent.
>
> If this does improve your life then one has to figure out a better way 
> to get entropy.  I suspect you are running too low to effectly pass 
> good random data to sshd to use.
>
> If you are on Solaris 9.. You should have a /dev/[u]random and you 
> shouldn't need prngd (or am I thinking Solaris 10?).
>
> - Ben
>
> On Fri, 11 Jul 2008, David Beecher wrote:
>
>> Hello,
>>
>> I apologize if this is the wrong list. It was the list I was directed
>> towards. I have reviewed the archives as well as everything I could
>> google before posting. Any help is most appreciated:
>>
>> We're seeing an error during sftp and ssh connections with consistent
>> regularity. It's triggered by a high number of connections coming into
>> sftp/ssh at the same time. It affects additional connections and leaves
>> the failed connect attempts open for days in a TCP_WAIT state. We're
>> seeing the error in the system logs:
>>
>> openssh session hanging - prngd[671]: write() in socket_write() failed:
>> Broken pipe
>>
>> This appears to be an issue that has been an unresolved  problem with
>> prngd since 2002.  Some have attributed the problem to prngd version
>> 0.9.26 (2004) but we are seeing it with version 0.9.25 (30 May 2002) as
>> have others that we've seen on the web.
>>
>> The problem appears to be (we are quoting here):
>>
>> -- snip --
>>  When lots of processes query entropy at the same time, the "fairness"
>>  change introduced in 0.9.25 could lead to clients being only served 
>> with
>>  a delay.
>>  Reason: in serverloop.c the next client to serv is "i1" as 
>> determined from
>>    i1 = (prev_location + i) % max_query_old;
>>  The client that actually was served however was "i" instead of "i1".
>>  If the connection of "i" was not yet ready for "write" state set after
>>  getting the entropy, it might block.
>>  This problem has not been reported by any other user, though it 
>> might also
>>  have occured at other sites.
>>  Depending on the internal sorting of sockets by fd/slot (number 
>> increasing
>>  in the sequence of accepted connections, closed connections are
>>  removed from the list), connections might appear locked.
>>  The entropy served was not provided in the sequence intended. The
>>  entropy bytes returned via internal buffer however were consistent
>>  with the connection served (buffer[i]) was filled correctly for
>>  connection[i]. The problem therefore has no impact on the quality
>>  of seeding.
>> -- snap --
>>
>> It appears that the latest version of prngd for sunos is 0.9.25 up
>> through solaris 9.
>>
>> The sourceforge for prngd (http://sourceforge.net/projects/prngd/) is
>> alive but does not appear to be active. I'm going to contact them, has
>> anybody else found a eliable solution or a newer version of prngd for
>> sunos 5.8 that does not have this issue.
>>
>> We have not received any response from the prngd group on sourceforge.
>>
>> Thank you in advance for any/all help,
>> David
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>

-- 

David Beecher, Executive Vice President and Chief Technical Officer
Digital Messaging Solutions, Inc.
678.446.3050 voice   866.881.7081 fax
http://www.dmsgs.com
We appreciate your business!

This e-mail may contain data that is confidential, proprietary or
"non-public personal information," as that term is defined in the
Gramm-Leach-Bliley Act (collectively, "Confidential Information"). The
Confidential Information is disclosed conditioned upon your agreement that
you will treat it confidentially and in accordance with applicable law,
ensure that such data isn't used or disclosed except for the limited purpose
for which it's being provided and will notify and cooperate with us
regarding any requested or unauthorized disclosure or use of any
Confidential Information. By accepting and reviewing the Confidential
Information you agree to indemnify us against any losses or expenses,
including attorney's fees that we may incur as a result of any unauthorized
use or disclosure of this data due to your acts or omissions. If a party
other than the intended recipient receives this e-mail, you are requested to
instantly notify us of the erroneous delivery and return to us all data so
delivered.




More information about the openssh-unix-dev mailing list