Clarification: int & ext. entropy sources?

From: Jonathan (jonathanNOFISH_at_sprintmail.com)
Date: 04/28/03

• Next message: Jonathan: "Re: keys."
• Previous message: Armin Krawinkel: "Re: ssh and cvs login, but no user login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 28 Apr 2003 08:29:17 -0400

I am building OpenSSL 0.9.7b and OpenSSH 3.6.1p1 under Solaris 8. My
OpenSSL is configured to use the Solaris /dev/random supplied in 112438-01.

With OpenSSH 3.6.1p1, how are entropy sources handled? During
configuration, it identifies that OpenSSL's PRNG is internally seeded; this
is true, due to the existence of /dev/random.

But, my confusion comes from the use of OpenSSH's rand-helper. If you run
"configure" with "--with-rand-helper", at the end of the configuration you
get:

              Random number source: ssh-rand-helper
     ssh-rand-helper collects from: Command hashing (timeout 200)
...

WARNING: you are using the builtin random number collection
service. Please read WARNING.RNG and request that your OS
vendor includes kernel-based random number collection in
future versions of your OS.

...which sounds worrisome. It sounds like it will never use OpenSSL's
internal source (ie, /dev/random) at all.
But if you use "--without-rand-helper" you get:

              Random number source: OpenSSL internal ONLY

So the question is, is OpenSSH with rand-helper enabled ignoring the fact
that OpenSSL has an entropy source, or will it try to use OpenSSL's internal
source and just "fall back" to ssh-rand-helper if need be? I saw a previous
post where someone says the latter is true; however, due to the warning you
get at configuration time it makes me think it's only trying to use
ssh-rand-helper
and never tries OpenSSL's internal source. OTOH, I never get "PRNG not
seeded" messages, so maybe it isn't starving for entropy.
Can someone explain what is really happening?

thanks!
Jonathan

• Next message: Jonathan: "Re: keys."
• Previous message: Armin Krawinkel: "Re: ssh and cvs login, but no user login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Creating a self-signed CA cert ... >>needed to keep the openssl package from depending on perl, ... openssl and openssl-perl are seperate packages. ... this is where the remaining missing files and directories come ... section of the configuration file. ... (Fedora) Re: Clarification: OpenSSH entropy sources? ... Checks of OpenSSL can seed itself. ... If it can't and no ssh prng helper is configured, ... >> get at configuration time it makes me think it's only trying to use ... (SSH) Re: sendmail using OCSP verification? ... such an extension is present or is this totally a matter of the openssl ... sendmail uses) is essentially done by API calls, ... Currently there are two configuration modules. ... (comp.mail.sendmail) Re: OpenSSH 3.2.3p1 incompatibilities between Solaris 7 and 8 ... can't compile 3.2.3p1 on Solaris 8 ... (assuming your OpenSSL is in the usual place). ... configure:8336: error: Your OpenSSL headers do not match your library ... > checking for C compiler default output... ... (comp.security.ssh) Re: OpenSSH 3.2.3p1 incompatibilities between Solaris 7 and 8 ... can't compile 3.2.3p1 on Solaris 8 ... (assuming your OpenSSL is in the usual place). ... configure:8336: error: Your OpenSSL headers do not match your library ... > checking for C compiler default output... ... (comp.security.ssh)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint