diff options
author | Damien Miller <djm@mindrot.org> | 2002-04-14 23:16:04 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2002-04-14 23:16:04 +1000 |
commit | 49411ff8a7fb1da93b938552f37230faf48a5c29 (patch) | |
tree | 68480ad1169eeb9f96ef098870ea9f21722e3a3c /WARNING.RNG | |
parent | 32e48180154a9d03fab7288fc18080acee29c7a8 (diff) |
- (djm) Random number collection doc fixes from Ben
Diffstat (limited to 'WARNING.RNG')
-rw-r--r-- | WARNING.RNG | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/WARNING.RNG b/WARNING.RNG index 487346ef3..ae43930a7 100644 --- a/WARNING.RNG +++ b/WARNING.RNG | |||
@@ -28,8 +28,12 @@ On to the description... | |||
28 | The portable OpenSSH contains random number collection support for | 28 | The portable OpenSSH contains random number collection support for |
29 | systems which lack a kernel entropy pool (/dev/random). | 29 | systems which lack a kernel entropy pool (/dev/random). |
30 | 30 | ||
31 | This collector operates by executing the programs listed in | 31 | This collector (as of 3.1 and beyond) comes as an external application |
32 | ($etcdir)/ssh_prng_cmds, reading their output and adding it to the | 32 | that allows the local admin to decide on how to implement entropy |
33 | collection. | ||
34 | |||
35 | The default entropy collector operates by executing the programs listed | ||
36 | in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the | ||
33 | PRNG supplied by OpenSSL (which is hash-based). It also stirs in the | 37 | PRNG supplied by OpenSSL (which is hash-based). It also stirs in the |
34 | output of several system calls and timings from the execution of the | 38 | output of several system calls and timings from the execution of the |
35 | programs that it runs. | 39 | programs that it runs. |
@@ -43,7 +47,7 @@ The random number code will also read and save a seed file to | |||
43 | number generator at startup. The goal here is to maintain as much | 47 | number generator at startup. The goal here is to maintain as much |
44 | randomness between sessions as possible. | 48 | randomness between sessions as possible. |
45 | 49 | ||
46 | The entropy collection code has two main problems: | 50 | The default entropy collection code has two main problems: |
47 | 51 | ||
48 | 1. It is slow. | 52 | 1. It is slow. |
49 | 53 | ||
@@ -51,14 +55,13 @@ Executing each program in the list can take a large amount of time, | |||
51 | especially on slower machines. Additionally some program can take a | 55 | especially on slower machines. Additionally some program can take a |
52 | disproportionate time to execute. | 56 | disproportionate time to execute. |
53 | 57 | ||
54 | This can be tuned by the administrator. To debug the entropy | 58 | Tuning the default entropy collection code is difficult at this point. |
55 | collection is great detail, turn on full debugging ("ssh -v -v -v" or | 59 | It requires doing 'times ./ssh-rand-helper' and modifying the |
56 | "sshd -d -d -d"). This will list each program as it is executed, how | 60 | ($etcdir)/ssh_prng_cmds until you have found the issue. In the next |
57 | long it took to execute, its exit status and whether and how much data | 61 | release we will be looking at support '-v' for verbose output to allow |
58 | it generated. You can the find the culprit programs which are causing | 62 | easier debugging. |
59 | the real slow-downs. | ||
60 | 63 | ||
61 | The entropy collector will timeout programs which take too long | 64 | The default entropy collector will timeout programs which take too long |
62 | to execute, the actual timeout used can be adjusted with the | 65 | to execute, the actual timeout used can be adjusted with the |
63 | --with-entropy-timeout configure option. OpenSSH will not try to | 66 | --with-entropy-timeout configure option. OpenSSH will not try to |
64 | re-execute programs which have not been found, have had a non-zero | 67 | re-execute programs which have not been found, have had a non-zero |
@@ -79,5 +82,15 @@ up and various other factors. | |||
79 | To make matters even more complex, some of the commands are reporting | 82 | To make matters even more complex, some of the commands are reporting |
80 | largely the same data as other commands (eg. the various "ps" calls). | 83 | largely the same data as other commands (eg. the various "ps" calls). |
81 | 84 | ||
82 | $Id: WARNING.RNG,v 1.4 2001/02/09 01:55:36 djm Exp $ | ||
83 | 85 | ||
86 | How to avoid the default entropy code? | ||
87 | |||
88 | The best way is to read the OpenSSL documentation and recompile OpenSSL | ||
89 | to use prngd or egd. Some platforms (like earily solaris) have 3rd | ||
90 | party /dev/random devices that can be also used for this task. | ||
91 | |||
92 | If you are forced to use ssh-rand-helper consider still downloading | ||
93 | prngd/egd and configure OpenSSH using --with-prngd-port=xx or | ||
94 | --with-prngd-socket=xx (refer to INSTALL for more information). | ||
95 | |||
96 | $Id: WARNING.RNG,v 1.5 2002/04/14 13:16:05 djm Exp $ | ||