diff options
author | Colin Watson <cjwatson@debian.org> | 2011-09-06 09:45:52 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 09:45:52 +0100 |
commit | f38224d546cdde55f45c13d3d8225d273a3f920e (patch) | |
tree | a91a26b88ac90dc72d0ea3767feabb341eaa50a8 /WARNING.RNG | |
parent | 338146a3fc257e216fe5c10fe40e6896b40d7739 (diff) | |
parent | e90790abaf031e037f444a6658e136e48577ea49 (diff) |
merge 5.9p1
Diffstat (limited to 'WARNING.RNG')
-rw-r--r-- | WARNING.RNG | 95 |
1 files changed, 0 insertions, 95 deletions
diff --git a/WARNING.RNG b/WARNING.RNG deleted file mode 100644 index 97da74ff7..000000000 --- a/WARNING.RNG +++ /dev/null | |||
@@ -1,95 +0,0 @@ | |||
1 | This document contains a description of portable OpenSSH's random | ||
2 | number collection code. An alternate reading of this text could | ||
3 | well be titled "Why I should pressure my system vendor to supply | ||
4 | /dev/random in their OS". | ||
5 | |||
6 | Why is this important? OpenSSH depends on good, unpredictable numbers | ||
7 | for generating keys, performing digital signatures and forming | ||
8 | cryptographic challenges. If the random numbers that it uses are | ||
9 | predictable, then the strength of the whole system is compromised. | ||
10 | |||
11 | A particularly pernicious problem arises with DSA keys (used by the | ||
12 | ssh2 protocol). Performing a DSA signature (which is required for | ||
13 | authentication), entails the use of a 160 bit random number. If an | ||
14 | attacker can predict this number, then they can deduce your *private* | ||
15 | key and impersonate you or your hosts. | ||
16 | |||
17 | If you are using the builtin random number support (configure will | ||
18 | tell you if this is the case), then read this document in its entirety. | ||
19 | Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which | ||
20 | collects random numbers and makes them available by a socket. | ||
21 | |||
22 | Please also request that your OS vendor provides a kernel-based random | ||
23 | number collector (/dev/random) in future versions of your operating | ||
24 | systems by default. | ||
25 | |||
26 | On to the description... | ||
27 | |||
28 | The portable OpenSSH contains random number collection support for | ||
29 | systems which lack a kernel entropy pool (/dev/random). | ||
30 | |||
31 | This collector (as of 3.1 and beyond) comes as an external application | ||
32 | that allows the local admin to decide on how to implement entropy | ||
33 | collection. | ||
34 | |||
35 | The default entropy collector operates by executing the programs listed | ||
36 | in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the | ||
37 | PRNG supplied by OpenSSL (which is hash-based). It also stirs in the | ||
38 | output of several system calls and timings from the execution of the | ||
39 | programs that it runs. | ||
40 | |||
41 | The ssh_prng_cmds file also specifies a 'rate' for each program. This | ||
42 | represents the number of bits of randomness per byte of output from | ||
43 | the specified program. | ||
44 | |||
45 | The random number code will also read and save a seed file to | ||
46 | ~/.ssh/prng_seed. This contents of this file are added to the random | ||
47 | number generator at startup. The goal here is to maintain as much | ||
48 | randomness between sessions as possible. | ||
49 | |||
50 | The default entropy collection code has two main problems: | ||
51 | |||
52 | 1. It is slow. | ||
53 | |||
54 | Executing each program in the list can take a large amount of time, | ||
55 | especially on slower machines. Additionally some program can take a | ||
56 | disproportionate time to execute. | ||
57 | |||
58 | Tuning the random helper can be done by running ./ssh-random-helper in | ||
59 | very verbose mode ("-vvv") and identifying the commands that are taking | ||
60 | excessive amounts of time or hanging altogher. Any problem commands can | ||
61 | be modified or removed from ssh_prng_cmds. | ||
62 | |||
63 | The default entropy collector will timeout programs which take too long | ||
64 | to execute, the actual timeout used can be adjusted with the | ||
65 | --with-entropy-timeout configure option. OpenSSH will not try to | ||
66 | re-execute programs which have not been found, have had a non-zero | ||
67 | exit status or have timed out more than a couple of times. | ||
68 | |||
69 | 2. Estimating the real 'rate' of program outputs is non-trivial | ||
70 | |||
71 | The shear volume of the task is problematic: there are currently | ||
72 | around 50 commands in the ssh_prng_cmds list, portable OpenSSH | ||
73 | supports at least 12 different OSs. That is already 600 sets of data | ||
74 | to be analysed, without taking into account the numerous differences | ||
75 | between versions of each OS. | ||
76 | |||
77 | On top of this, the different commands can produce varying amounts of | ||
78 | usable data depending on how busy the machine is, how long it has been | ||
79 | up and various other factors. | ||
80 | |||
81 | To make matters even more complex, some of the commands are reporting | ||
82 | largely the same data as other commands (eg. the various "ps" calls). | ||
83 | |||
84 | |||
85 | How to avoid the default entropy code? | ||
86 | |||
87 | The best way is to read the OpenSSL documentation and recompile OpenSSL | ||
88 | to use prngd or egd. Some platforms (like earily solaris) have 3rd | ||
89 | party /dev/random devices that can be also used for this task. | ||
90 | |||
91 | If you are forced to use ssh-rand-helper consider still downloading | ||
92 | prngd/egd and configure OpenSSH using --with-prngd-port=xx or | ||
93 | --with-prngd-socket=xx (refer to INSTALL for more information). | ||
94 | |||
95 | $Id: WARNING.RNG,v 1.8 2005/05/26 01:47:54 djm Exp $ | ||