Re: PRNGD/Solaris 2.6/ssh 371p2

From: Lutz Jaenicke (Lutz.Jaenicke_at_aet.TU-Cottbus.DE)
Date: 10/22/03

  • Next message: Josh Friberg: "Forced Password Changes"
    Date: Wed, 22 Oct 2003 22:05:13 +0200
    To: secureshell@securityfocus.com
    
    

    On Tue, Oct 21, 2003 at 06:00:16PM -0400, Curt D McIntosh wrote:
    > On a Solaris 2.6 NIS Master, this is what I do using sunfreeware
    > packages...
    >
    > As root:
    > add /usr/local/bin, /usr/local/sbin and /usr/local/ssl/bin to my path.
    > add /usr/local/ssl/lib to LD_LIBRARY_PATH and source profile.
    >
    > --> pkgadd -d openssh-3.7.1p2-sol26-sparc-local
    > --> pkgadd -d openssl-0.9.7b-sol26-sparc-local
    > --> pkgadd -d zlib-1.1.4-sol26-sparc-local
    > --> pkgadd -d gcc-3.2.3-sol26-sparc-local
    > --> pkgadd -d tcp_wrappers-7.6-sol26-sparc-local
    > --> pkgadd -d prngd-0.9.25-sol26-sparc-local
    > --> pkgadd -d egd-0.8-sol26-sparc-local
    > --> pkgadd -d perl-5.8.0-sol26-sparc-local
    >
    > --> cat /var/adm/messages > /usr/local/etc/prngd/prngd-seed
    > --> mkdir /var/spool/prngd
    > --> /usr/local/sbin/prngd /var/spool/prngd/pool
    > --> /usr/local/bin/egc.pl /var/spool/prngd/pool get
    > I see this:
    > 32800 bits of entropy in pool
    >
    > --> mkdir /var/empty
    > --> chown root:sys /var/empty
    > --> chmod 600 /var/empty
    > --> groupadd sshd
    > --> useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
    > --> cd /var/yp
    > --> make
    >
    > # ssh-keygen -t rsa1 -N ""
    > PRNG is not seeded
    >
    > # ps -ef | grep prngd
    > root 4031 228 0 14:41:09 pts/0 0:00 grep prngd
    > root 3985 1 0 14:39:54 ? 0:00 /usr/local/sbin/prngd
    > /var/spool/prngd/pool

    I am not familiar with the Sun freeware packages. OpenSSL does query
    prngd automatically, but only at other locations (e.g. /var/run/egd-pool).
    If OpenSSL is not self-seeded, OpenSSH can query EGD/PRNGD itself if
    instructed to do so. I did not follow recent changes to OpenSSH with
    respect to seeding, so I don't know whether there might exist some problems,
    since OpenSSL 0.9.7 takes care of this itself.

    I would recommend you to use
      /usr/local/sbin/prngd /var/spool/prngd/pool /var/run/egd-pool
    to establish an additional socket at the "well known" location.

    Best regards,
            Lutz

    -- 
    Lutz Jaenicke                             Lutz.Jaenicke@aet.TU-Cottbus.DE
    http://www.aet.TU-Cottbus.DE/personen/jaenicke/
    BTU Cottbus, Allgemeine Elektrotechnik
    Universitaetsplatz 3-4, D-03044 Cottbus
    

  • Next message: Josh Friberg: "Forced Password Changes"

    Relevant Pages

    • Re: dev/random
      ... >> I would choose a file that software like OpenSSL, OpenSSH, GnuPG, the EGD, ... >> would expect to read entropy from, ... >> need to consider the context of diskless booting where only a minimal root ...
      (freebsd-current)
    • RE: configure ssh
      ... Step Three: Getting Entropy ... The next step in installation is to start the generation of entropy for use ... This should start up the prngd daemon and start generating entropy. ... This seems to be a new issue with openssl ...
      (SSH)
    • Re: dev/random
      ... > I would choose a file that software like OpenSSL, OpenSSH, GnuPG, the EGD, ... > would expect to read entropy from, ... > Starting all of your hosts with the same entropy is a bad idea, ... > Even though the client machines are mounting the diskless root ...
      (freebsd-current)
    • Re: openssh31p1---with-random in solaris
      ... >research told me to recompile openssl to use /dev/random however i do ... If the kernel doesn't haven't enough entropy, ... entropy as it is to feed openssl's need of random data by the time it ...
      (comp.security.ssh)