Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
From: Roger Marquis (marquis_at_roble.com)
Date: 09/19/03
- Previous message: Eli Dart: "Re: Questionable merits of inetd replacements"
- In reply to: Bruce M Simpson: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
- Next in thread: Bruce M Simpson: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
- Reply: Bruce M Simpson: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
- Reply: Dag-Erling Smørgrav: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Sep 2003 17:56:59 -0700 (PDT) To: freebsd-security@freebsd.org
Bruce M Simpson wrote:
> When you run out of inetd to service a single connection, you have to
> generate a new ephemeral key for every ssh instance. This is a needless
> waste of precious entropy from /dev/random.
It takes all of 2 seconds to generate a ssh 2 new session on a
500Mhz cpu (causing less than 20% utilization). Considering that
99% of even the most heavily loaded servers have more than enough
cpu for this task I don't really see it as an issue.
Also, by generating a different key for each session you get better
entropy, which makes for better encryption, especially when you
consider that the keys for one session are useless when attempting
to decrypt other sessions. For this reason alone it's better to
run sshd out of inetd.
> I think running sshd out of inetd is a very bad idea indeed, unless
> Mr Marquis is willing to stay in my datacenter and hammer the keys like
> a monkey all day, but even then that might be a poor source of entropy.
I've been using inetd+ssh since 1995, in dozens of data centers,
across hundreds of hosts, and millions of sessions without a single
problem. I wonder what Bruce Schneier would think of Mr. Simpson's
understanding of cryptography?
-- Roger Marquis Roble Systems Consulting http://www.roble.com/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Eli Dart: "Re: Questionable merits of inetd replacements"
- In reply to: Bruce M Simpson: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
- Next in thread: Bruce M Simpson: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
- Reply: Bruce M Simpson: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
- Reply: Dag-Erling Smørgrav: "Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
