Call for testing: OpenSSH-6.2

Darren Tucker dtucker at
Wed Mar 20 10:25:09 EST 2013

On Wed, Mar 20, 2013 at 7:46 AM, Kevin Brott <kevin.brott at> wrote:
> Using this
> time ...
> No extra RNG toolkit installed at all on this system - and make tests
> always fails right at every single time.
> I know that HP-UX 11.11 doesn't have a kernel-based RNG by default
> (optional package KRNGD supplies it, but I can't install anything new on
> this box.
> I seem to remember once upon a time - that while it was 'insecure' due to
> the entropy being drek - that openssh would still pass make tests (with
> warnings) if no decent RNG was installed.  Admittedly I haven't tested on
> such a system in a very long time, but did I miss something in a release
> note somewhere that says it's a required element now?

Yep, in 5.9 ssh-random-helper was removed:

" * This release removes support for ssh-rand-helper. OpenSSH now
   obtains its random numbers directly from OpenSSL or from
   a PRNGd/EGD instance specified at configure time.

You must have some form of entropy available to openssl, though, or it
would not build or run at all.

You can probably run prngd as a non-privileged user then build openssh
with "./configure --with-prngd-socket=/tmp/socket" (admittedly I've
never tried this).  Looking at the code in entropy.c I think it'll
prefer the system entropy source it it's available.

I'd try this myself, but my trusty old HP workstation decided it no
longer wants to power on :-(

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list