Regarding the optional OpenSSL integration for the portable version

William Ahern william at 25thandClement.com
Mon May 5 09:08:35 EST 2014


On Sun, May 04, 2014 at 10:56:03PM +0200, ?ngel Gonz?lez wrote:
> On 02/05/14 21:40, William Ahern wrote:
> >Linux
> >also has an obscure sysctl which pulls directly from the internal CSPRNG. 
> >So
> >all of these will work in a jail without /dev or /proc.
> 
> That's cool, but as stated on Linux sysctl(2):
<snip>
> >       This system call is available only if the kernel was configured 
> >with the CONFIG_SYSCTL_SYSCALL option.
> 
> And indeed, trying a test program calling CTL_KERN, KERN_RANDOM, 
> RANDOM_UUID (from your code) prints
> >warning: process `sysctl-rand' used the deprecated sysctl system call 
> >with 1.40.6.
> 
> and returned with ENOSYS (the kernel was compiled without 
> CONFIG_SYSCTL_SYSCALL).
> 
> So I don't think it's a suitable primary mean to gather random data 
> under Linux. :-(

It still works on the latest Ubuntu, but I see now that Red Hat (Fedora
Rawhide) has disabled it. So much for ABI stability. glibc says lots of
stupid stuff in their manual pages, but I didn't think Linux would actually
break it this way, given how much of a stink Linus makes about preserving
userspace compatibility.

In any event, it's still the only proper solution. Otherwise there is no
reliable means and Linux can just be considered second-class in this regard,
like Solaris, OS X, and others.

Of course it's smart to always check the return value and have a fallback in
case some people thoughtlessly turned it off. My sample code I linked to
does fallback to /dev/urandom, as well as [somewhat ashamedly] collects junk
data in a last ditch effort, including collecting bits from ASLR, getrusage,
and uname.

> I encourage you to raise at lkml the need to have a dev-less random data 
> source, though.

They tend to ignore unknown people on LKML. I once submitted a bug report
about datagram connect(2) behavior where you couldn't change the destination
address if it was on another network, despite the manual pages (and POSIX)
saying that it would work. I doubt anybody even bothered reading it, and of
course nobody replied.

I'll give it a try, though. I'll also try contacting Red Hat, and inquire
with the Debian and Ubuntu folks to see if they intended to change their
configuration.



More information about the openssh-unix-dev mailing list