Call for testing: OpenSSH-6.2

Darren Tucker dtucker at zip.com.au
Wed Mar 20 10:25:09 EST 2013


On Wed, Mar 20, 2013 at 7:46 AM, Kevin Brott <kevin.brott at gmail.com> wrote:
[....]
> Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130320.tar.gz this
> time ...
>
> No extra RNG toolkit installed at all on this system - and make tests
> always fails right at multiplex.sh every single time.
> I know that HP-UX 11.11 doesn't have a kernel-based RNG by default
> (optional package KRNGD supplies it, but I can't install anything new on
> this box.
>
> I seem to remember once upon a time - that while it was 'insecure' due to
> the entropy being drek - that openssh would still pass make tests (with
> warnings) if no decent RNG was installed.  Admittedly I haven't tested on
> such a system in a very long time, but did I miss something in a release
> note somewhere that says it's a required element now?

Yep, in 5.9 ssh-random-helper was removed: http://openssh.com/txt/release-5.9

" * This release removes support for ssh-rand-helper. OpenSSH now
   obtains its random numbers directly from OpenSSL or from
   a PRNGd/EGD instance specified at configure time.
"

You must have some form of entropy available to openssl, though, or it
would not build or run at all.

You can probably run prngd as a non-privileged user then build openssh
with "./configure --with-prngd-socket=/tmp/socket" (admittedly I've
never tried this).  Looking at the code in entropy.c I think it'll
prefer the system entropy source it it's available.

I'd try this myself, but my trusty old HP workstation decided it no
longer wants to power on :-(

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list