2000-10-24 23:06:04 +00:00
|
|
|
This document contains a description of portable OpenSSH's random
|
|
|
|
number collection code. An alternate reading of this text could
|
|
|
|
well be titled "Why I should pressure my system vendor to supply
|
|
|
|
/dev/random in their OS".
|
|
|
|
|
|
|
|
Why is this important? OpenSSH depends on good, unpredictable numbers
|
|
|
|
for generating keys, performing digital signatures and forming
|
|
|
|
cryptographic challenges. If the random numbers that it uses are
|
|
|
|
predictable, then the strength of the whole system is compromised.
|
|
|
|
|
|
|
|
A particularly pernicious problem arises with DSA keys (used by the
|
|
|
|
ssh2 protocol). Performing a DSA signature (which is required for
|
|
|
|
authentication), entails the use of a 160 bit random number. If an
|
|
|
|
attacker can predict this number, then they can deduce your *private*
|
2000-10-25 03:47:35 +00:00
|
|
|
key and impersonate you or your hosts.
|
2000-10-24 23:06:04 +00:00
|
|
|
|
|
|
|
If you are using the builtin random number support (configure will
|
2000-10-25 03:47:35 +00:00
|
|
|
tell you if this is the case), then read this document in its entirety.
|
2001-01-24 23:51:46 +00:00
|
|
|
Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which
|
|
|
|
collects random numbers and makes them available by a socket.
|
2000-10-24 23:06:04 +00:00
|
|
|
|
|
|
|
Please also request that your OS vendor provides a kernel-based random
|
|
|
|
number collector (/dev/random) in future versions of your operating
|
2000-10-25 03:47:35 +00:00
|
|
|
systems by default.
|
2000-10-24 23:06:04 +00:00
|
|
|
|
|
|
|
On to the description...
|
|
|
|
|
|
|
|
The portable OpenSSH contains random number collection support for
|
|
|
|
systems which lack a kernel entropy pool (/dev/random).
|
|
|
|
|
|
|
|
This collector operates by executing the programs listed in
|
|
|
|
($etcdir)/ssh_prng_cmds, reading their output and adding it to the
|
|
|
|
PRNG supplied by OpenSSL (which is hash-based). It also stirs in the
|
|
|
|
output of several system calls and timings from the execution of the
|
|
|
|
programs that it runs.
|
|
|
|
|
|
|
|
The ssh_prng_cmds file also specifies a 'rate' for each program. This
|
|
|
|
represents the number of bits of randomness per byte of output from
|
|
|
|
the specified program.
|
|
|
|
|
|
|
|
The random number code will also read and save a seed file to
|
|
|
|
~/.ssh/prng_seed. This contents of this file are added to the random
|
2000-10-25 03:47:35 +00:00
|
|
|
number generator at startup. The goal here is to maintain as much
|
|
|
|
randomness between sessions as possible.
|
2000-10-24 23:06:04 +00:00
|
|
|
|
2000-10-25 03:47:35 +00:00
|
|
|
The entropy collection code has two main problems:
|
2000-10-24 23:06:04 +00:00
|
|
|
|
|
|
|
1. It is slow.
|
|
|
|
|
|
|
|
Executing each program in the list can take a large amount of time,
|
|
|
|
especially on slower machines. Additionally some program can take a
|
|
|
|
disproportionate time to execute.
|
|
|
|
|
|
|
|
This can be tuned by the administrator. To debug the entropy
|
|
|
|
collection is great detail, turn on full debugging ("ssh -v -v -v" or
|
|
|
|
"sshd -d -d -d"). This will list each program as it is executed, how
|
|
|
|
long it took to execute, its exit status and whether and how much data
|
|
|
|
it generated. You can the find the culprit programs which are causing
|
|
|
|
the real slow-downs.
|
|
|
|
|
|
|
|
The entropy collector will timeout programs which take too long
|
|
|
|
to execute, the actual timeout used can be adjusted with the
|
|
|
|
--with-entropy-timeout configure option. OpenSSH will not try to
|
|
|
|
re-execute programs which have not been found, have had a non-zero
|
|
|
|
exit status or have timed out more than a couple of times.
|
|
|
|
|
|
|
|
2. Estimating the real 'rate' of program outputs is non-trivial
|
|
|
|
|
|
|
|
The shear volume of the task is problematic: there are currently
|
|
|
|
around 50 commands in the ssh_prng_cmds list, portable OpenSSH
|
|
|
|
supports at least 12 different OSs. That is already 600 sets of data
|
|
|
|
to be analysed, without taking into account the numerous differences
|
|
|
|
between versions of each OS.
|
|
|
|
|
|
|
|
On top of this, the different commands can produce varying amounts of
|
|
|
|
usable data depending on how busy the machine is, how long it has been
|
|
|
|
up and various other factors.
|
|
|
|
|
|
|
|
To make matters even more complex, some of the commands are reporting
|
|
|
|
largely the same data as other commands (eg. the various "ps" calls).
|
|
|
|
|