diff options
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | INSTALL | 6 | ||||
| -rw-r--r-- | WARNING.RNG | 35 |
3 files changed, 27 insertions, 17 deletions
| @@ -3,6 +3,7 @@ | |||
| 3 | - Add commandline debugging options | 3 | - Add commandline debugging options |
| 4 | - Don't write binary data if stdout is a tty (use hex instead) | 4 | - Don't write binary data if stdout is a tty (use hex instead) |
| 5 | - Give it a manpage | 5 | - Give it a manpage |
| 6 | - (djm) Random number collection doc fixes from Ben | ||
| 6 | 7 | ||
| 7 | 20020413 | 8 | 20020413 |
| 8 | - (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk> | 9 | - (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk> |
| @@ -8240,4 +8241,4 @@ | |||
| 8240 | - Wrote replacements for strlcpy and mkdtemp | 8241 | - Wrote replacements for strlcpy and mkdtemp |
| 8241 | - Released 1.0pre1 | 8242 | - Released 1.0pre1 |
| 8242 | 8243 | ||
| 8243 | $Id: ChangeLog,v 1.2052 2002/04/14 09:27:12 djm Exp $ | 8244 | $Id: ChangeLog,v 1.2053 2002/04/14 13:16:04 djm Exp $ |
| @@ -108,10 +108,6 @@ different name. | |||
| 108 | need a working installation of GNOME, including the development | 108 | need a working installation of GNOME, including the development |
| 109 | headers, for this to work. | 109 | headers, for this to work. |
| 110 | 110 | ||
| 111 | --with-random=/some/file allows you to specify an alternate source of | ||
| 112 | random numbers (the default is /dev/urandom). Unless you are absolutely | ||
| 113 | sure of what you are doing, it is best to leave this alone. | ||
| 114 | |||
| 115 | --with-prngd-socket=/some/file allows you to enable EGD or PRNGD | 111 | --with-prngd-socket=/some/file allows you to enable EGD or PRNGD |
| 116 | support and to specify a PRNGd socket. Use this if your Unix lacks | 112 | support and to specify a PRNGd socket. Use this if your Unix lacks |
| 117 | /dev/random and you don't want to use OpenSSH's builtin entropy | 113 | /dev/random and you don't want to use OpenSSH's builtin entropy |
| @@ -222,4 +218,4 @@ Please refer to the "reporting bugs" section of the webpage at | |||
| 222 | http://www.openssh.com/ | 218 | http://www.openssh.com/ |
| 223 | 219 | ||
| 224 | 220 | ||
| 225 | $Id: INSTALL,v 1.50 2002/04/05 16:11:46 mouring Exp $ | 221 | $Id: INSTALL,v 1.51 2002/04/14 13:16:05 djm Exp $ |
diff --git a/WARNING.RNG b/WARNING.RNG index 487346ef3..ae43930a7 100644 --- a/WARNING.RNG +++ b/WARNING.RNG | |||
| @@ -28,8 +28,12 @@ On to the description... | |||
| 28 | The portable OpenSSH contains random number collection support for | 28 | The portable OpenSSH contains random number collection support for |
| 29 | systems which lack a kernel entropy pool (/dev/random). | 29 | systems which lack a kernel entropy pool (/dev/random). |
| 30 | 30 | ||
| 31 | This collector operates by executing the programs listed in | 31 | This collector (as of 3.1 and beyond) comes as an external application |
| 32 | ($etcdir)/ssh_prng_cmds, reading their output and adding it to the | 32 | that allows the local admin to decide on how to implement entropy |
| 33 | collection. | ||
| 34 | |||
| 35 | The default entropy collector operates by executing the programs listed | ||
| 36 | in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the | ||
| 33 | PRNG supplied by OpenSSL (which is hash-based). It also stirs in the | 37 | PRNG supplied by OpenSSL (which is hash-based). It also stirs in the |
| 34 | output of several system calls and timings from the execution of the | 38 | output of several system calls and timings from the execution of the |
| 35 | programs that it runs. | 39 | programs that it runs. |
| @@ -43,7 +47,7 @@ The random number code will also read and save a seed file to | |||
| 43 | number generator at startup. The goal here is to maintain as much | 47 | number generator at startup. The goal here is to maintain as much |
| 44 | randomness between sessions as possible. | 48 | randomness between sessions as possible. |
| 45 | 49 | ||
| 46 | The entropy collection code has two main problems: | 50 | The default entropy collection code has two main problems: |
| 47 | 51 | ||
| 48 | 1. It is slow. | 52 | 1. It is slow. |
| 49 | 53 | ||
| @@ -51,14 +55,13 @@ Executing each program in the list can take a large amount of time, | |||
| 51 | especially on slower machines. Additionally some program can take a | 55 | especially on slower machines. Additionally some program can take a |
| 52 | disproportionate time to execute. | 56 | disproportionate time to execute. |
| 53 | 57 | ||
| 54 | This can be tuned by the administrator. To debug the entropy | 58 | Tuning the default entropy collection code is difficult at this point. |
| 55 | collection is great detail, turn on full debugging ("ssh -v -v -v" or | 59 | It requires doing 'times ./ssh-rand-helper' and modifying the |
| 56 | "sshd -d -d -d"). This will list each program as it is executed, how | 60 | ($etcdir)/ssh_prng_cmds until you have found the issue. In the next |
| 57 | long it took to execute, its exit status and whether and how much data | 61 | release we will be looking at support '-v' for verbose output to allow |
| 58 | it generated. You can the find the culprit programs which are causing | 62 | easier debugging. |
| 59 | the real slow-downs. | ||
| 60 | 63 | ||
| 61 | The entropy collector will timeout programs which take too long | 64 | The default entropy collector will timeout programs which take too long |
| 62 | to execute, the actual timeout used can be adjusted with the | 65 | to execute, the actual timeout used can be adjusted with the |
| 63 | --with-entropy-timeout configure option. OpenSSH will not try to | 66 | --with-entropy-timeout configure option. OpenSSH will not try to |
| 64 | re-execute programs which have not been found, have had a non-zero | 67 | re-execute programs which have not been found, have had a non-zero |
| @@ -79,5 +82,15 @@ up and various other factors. | |||
| 79 | To make matters even more complex, some of the commands are reporting | 82 | To make matters even more complex, some of the commands are reporting |
| 80 | largely the same data as other commands (eg. the various "ps" calls). | 83 | largely the same data as other commands (eg. the various "ps" calls). |
| 81 | 84 | ||
| 82 | $Id: WARNING.RNG,v 1.4 2001/02/09 01:55:36 djm Exp $ | ||
| 83 | 85 | ||
| 86 | How to avoid the default entropy code? | ||
| 87 | |||
| 88 | The best way is to read the OpenSSL documentation and recompile OpenSSL | ||
| 89 | to use prngd or egd. Some platforms (like earily solaris) have 3rd | ||
| 90 | party /dev/random devices that can be also used for this task. | ||
| 91 | |||
| 92 | If you are forced to use ssh-rand-helper consider still downloading | ||
| 93 | prngd/egd and configure OpenSSH using --with-prngd-port=xx or | ||
| 94 | --with-prngd-socket=xx (refer to INSTALL for more information). | ||
| 95 | |||
| 96 | $Id: WARNING.RNG,v 1.5 2002/04/14 13:16:05 djm Exp $ | ||