Regarding the optional OpenSSL integration for the portable version
William Ahern
william at 25thandClement.com
Sat May 3 08:43:09 EST 2014
On Fri, May 02, 2014 at 10:30:28PM +0000, Scott Neugroschl wrote:
>
> >NetBSD and FreeBSD (as of 10.0) both use a sysctl, just like OpenBSD.
> > Linux also has an obscure sysctl which pulls directly from the internal
> > CSPRNG. So all of these will work in a jail without /dev or /proc.
>
> >OS X still seeds itself from /dev/urandom in its arc4random
> > implementation, as it inherited FreeBSD's old code. Solaris sadly only
> > has /dev/urandom.
>
> And then there are those implementations that have to use PRNGD because
> there's no built-in source of randomness.
>
That's basically equivalent to /dev/urandom from the code's perspective. The
reason why /dev/urandom sucks is two-fold: 1) as already mentioned you can't
access it inside a chroot jail (unless explicitly created, but then you
can't mount with the nodev option), but also 2) you may have hit a file
descriptor limit and can't even open it.
Along those same lines: I don't understand why Linux, glibc & Co. are so
gung-ho about the /proc filesystem. Some glibc routines depend on it. /proc
proponents wave away the chroot jail problem because they seem to believe
complex, global configuration files are somehow preferable. Whatever. They
can keep their opinion. But there's no excusing the file descriptor limit
issue.
More information about the openssh-unix-dev
mailing list