Re: prngd usage on OpenSsh4.3p2

Enrique Sanchez Vela wrote:
I've been toying with openssh 4.3p2 for a while now on
AIX 5.1 and I am trying to build it with prngd
support, however, everytime I start sshd or issue an
ssh command (whith prngd daemon not running) it just
works fine.

I am building sshd with the following options,

./configure --with-ipaddr-display --with-md5-passwords
--with-privsep-user=sshd --sysconfdir=/etc/ssh/
--with-ssl-dir=/usr/local/ssl --prefix=/usr/local
--with-prngd-port=708 --with-rand-helper=prngd

if anyone could explain the behaivor to me, I would

--with-rand-helper doesn't take any arguments (other than yes/no). What you're doing there is always building ssh-rand-helper.

Normally, when you run configure, it checks if OpenSSL's RNG is "self-seeded". For modern versions of OpenSSL, this basically means the OpenSSL itself checks if there's a decent entropy source on your system such as /dev/random (which AIX 5.1 doesn't have) or prngd /egd (it actually only checks for the presence of a prngd/egd socket at a few default places).

At OpenSSH build time, if the RNG isn't self-seeded configure automatically builds "ssh-rand-helper", which is an external process that runs around collecting entropy from various sources, mashing them together and returning the result to whichever process ran it. This is then used to seed OpenSSL's RNG, which is then supplies the randomness used for the ssh/sshd process.

Aat run time, the OpenSSH processes that need the RNG again check if OpenSSL's considers the RNG self-seeded. OpenSSL checks again, and if it finds an entropy source it is used. If not, it tells OpenSSH that it's not self-seeded and OpenSSH runs ssh-rand-helper (if it was built) or fails with a "PRNG not seeded error" (if it wasn't). You can see what it's doing by adding "-vvv" to an ssh command line.

Now in your case, you're always building ssh-rand-helper, so even if you stop prngd, OpenSSH has a source of entropy. If you remove the --with-rand-helper option from configure and rebuild OpenSSH then you will probably get the behaviour you expect.

The other thing to bear in mind is that some of these things are detected at build time *of both OpenSSL and OpenSSH* and some are also dependant on the versions in question.

ssh-random-helper also knows how to talk to prngd. Before OpenSSH 4.0p1, if configure found prngd at build time then ssh-rand-helper would fail at run time if prngd wasn't running. From 4.0p1, it will fall back to collecting entropy from commands in this case (you will usually see an error from ssh in this case).

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.