Re: PRNGD/Solaris 2.6/ssh 371p2

From: Lutz Jaenicke (Lutz.Jaenicke_at_aet.TU-Cottbus.DE)
Date: 10/22/03

  • Next message: Josh Friberg: "Forced Password Changes"
    Date: Wed, 22 Oct 2003 22:05:13 +0200
    To: secureshell@securityfocus.com
    
    

    On Tue, Oct 21, 2003 at 06:00:16PM -0400, Curt D McIntosh wrote:
    > On a Solaris 2.6 NIS Master, this is what I do using sunfreeware
    > packages...
    >
    > As root:
    > add /usr/local/bin, /usr/local/sbin and /usr/local/ssl/bin to my path.
    > add /usr/local/ssl/lib to LD_LIBRARY_PATH and source profile.
    >
    > --> pkgadd -d openssh-3.7.1p2-sol26-sparc-local
    > --> pkgadd -d openssl-0.9.7b-sol26-sparc-local
    > --> pkgadd -d zlib-1.1.4-sol26-sparc-local
    > --> pkgadd -d gcc-3.2.3-sol26-sparc-local
    > --> pkgadd -d tcp_wrappers-7.6-sol26-sparc-local
    > --> pkgadd -d prngd-0.9.25-sol26-sparc-local
    > --> pkgadd -d egd-0.8-sol26-sparc-local
    > --> pkgadd -d perl-5.8.0-sol26-sparc-local
    >
    > --> cat /var/adm/messages > /usr/local/etc/prngd/prngd-seed
    > --> mkdir /var/spool/prngd
    > --> /usr/local/sbin/prngd /var/spool/prngd/pool
    > --> /usr/local/bin/egc.pl /var/spool/prngd/pool get
    > I see this:
    > 32800 bits of entropy in pool
    >
    > --> mkdir /var/empty
    > --> chown root:sys /var/empty
    > --> chmod 600 /var/empty
    > --> groupadd sshd
    > --> useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
    > --> cd /var/yp
    > --> make
    >
    > # ssh-keygen -t rsa1 -N ""
    > PRNG is not seeded
    >
    > # ps -ef | grep prngd
    > root 4031 228 0 14:41:09 pts/0 0:00 grep prngd
    > root 3985 1 0 14:39:54 ? 0:00 /usr/local/sbin/prngd
    > /var/spool/prngd/pool

    I am not familiar with the Sun freeware packages. OpenSSL does query
    prngd automatically, but only at other locations (e.g. /var/run/egd-pool).
    If OpenSSL is not self-seeded, OpenSSH can query EGD/PRNGD itself if
    instructed to do so. I did not follow recent changes to OpenSSH with
    respect to seeding, so I don't know whether there might exist some problems,
    since OpenSSL 0.9.7 takes care of this itself.

    I would recommend you to use
      /usr/local/sbin/prngd /var/spool/prngd/pool /var/run/egd-pool
    to establish an additional socket at the "well known" location.

    Best regards,
            Lutz

    -- 
    Lutz Jaenicke                             Lutz.Jaenicke@aet.TU-Cottbus.DE
    http://www.aet.TU-Cottbus.DE/personen/jaenicke/
    BTU Cottbus, Allgemeine Elektrotechnik
    Universitaetsplatz 3-4, D-03044 Cottbus
    

  • Next message: Josh Friberg: "Forced Password Changes"