RFE: Portable OpenSSH

Damien Miller djm at mindrot.org
Wed Mar 28 11:05:37 EST 2001 

On Tue, 27 Mar 2001, Dan Kaminsky wrote:

> > >     But who would be running prngd?  Lets say every user used their
> > > own entropy gatherer.  Instead of entropy gathering on demand, when
> > > the ssh executables were actually being called, each user would be
> > > hammering the box continually.  That's not elegant,
> >
> > Bingo - this is exactly what OpenSSH does at the moment.
>
> No, it's not. prngd goes ahead and grabs entropy in advance; openssh
> is only grabbing entropy when it directly needs it.  It's slower,
> yes, but it's more than fast enough for low-to-midrange use.

OpenSSH grabs it every time it runs, with a daemon you have to opportunity
to take advantage of its long lifespan and spead the collection over a
longer time period. This results in fewer load spikes and better quality
entropy.

> > What is the advantage of all this runtime checking? Systems with
> > /dev/random should _always_ have it available.
>
> Surprised the hell outta me when I realized this was a problem.  I
> installed the ANDIrand package on my dev box some time ago, then
> later built the latest OpenSSH.  Imagine my surprise when the
> binaries compiled on that machine wouldn't work on any other Solaris
> machine--oops, none of the other ones had ANDIrand installed.

You need to build different packages for different system environments.
I see this as no different to systems which have libc differing in
major number.

> > PRNGd has been designed (and audited) to do this task well.
>
> Like I said, I *like* the concept of prngd.  I just don't accept that a
> local daemon should be required for a local client to execute successfully.
> Help it out?  Speed it up?  Increase efficiency?  Decrease redundancy(as
> long as the shared source is root)?  Sure.  But *mandate*, on penalty of
> failure?

I don't see why mandating it is a problem. It is a _one off_ installation
which may be used by more than OpenSSH (OpenSSL supports it too, as does
postfix-tls, as does GPG).

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer

More information about the openssh-unix-dev mailing list