From 49411ff8a7fb1da93b938552f37230faf48a5c29 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 14 Apr 2002 23:16:04 +1000 Subject: [PATCH] - (djm) Random number collection doc fixes from Ben --- ChangeLog | 3 ++- INSTALL | 6 +----- WARNING.RNG | 35 ++++++++++++++++++++++++----------- 3 files changed, 27 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 114f5d72a..77bdea358 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ - Add commandline debugging options - Don't write binary data if stdout is a tty (use hex instead) - Give it a manpage + - (djm) Random number collection doc fixes from Ben 20020413 - (djm) Add KrbV support patch from Simon Wilkinson @@ -8240,4 +8241,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.2052 2002/04/14 09:27:12 djm Exp $ +$Id: ChangeLog,v 1.2053 2002/04/14 13:16:04 djm Exp $ diff --git a/INSTALL b/INSTALL index 35c6c749c..3dc3fca68 100644 --- a/INSTALL +++ b/INSTALL @@ -108,10 +108,6 @@ different name. need a working installation of GNOME, including the development headers, for this to work. ---with-random=/some/file allows you to specify an alternate source of -random numbers (the default is /dev/urandom). Unless you are absolutely -sure of what you are doing, it is best to leave this alone. - --with-prngd-socket=/some/file allows you to enable EGD or PRNGD support and to specify a PRNGd socket. Use this if your Unix lacks /dev/random and you don't want to use OpenSSH's builtin entropy @@ -222,4 +218,4 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.50 2002/04/05 16:11:46 mouring Exp $ +$Id: INSTALL,v 1.51 2002/04/14 13:16:05 djm Exp $ diff --git a/WARNING.RNG b/WARNING.RNG index 487346ef3..ae43930a7 100644 --- a/WARNING.RNG +++ b/WARNING.RNG @@ -28,8 +28,12 @@ On to the description... The portable OpenSSH contains random number collection support for systems which lack a kernel entropy pool (/dev/random). -This collector operates by executing the programs listed in -($etcdir)/ssh_prng_cmds, reading their output and adding it to the +This collector (as of 3.1 and beyond) comes as an external application +that allows the local admin to decide on how to implement entropy +collection. + +The default entropy collector operates by executing the programs listed +in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the PRNG supplied by OpenSSL (which is hash-based). It also stirs in the output of several system calls and timings from the execution of the programs that it runs. @@ -43,7 +47,7 @@ The random number code will also read and save a seed file to number generator at startup. The goal here is to maintain as much randomness between sessions as possible. -The entropy collection code has two main problems: +The default entropy collection code has two main problems: 1. It is slow. @@ -51,14 +55,13 @@ Executing each program in the list can take a large amount of time, especially on slower machines. Additionally some program can take a disproportionate time to execute. -This can be tuned by the administrator. To debug the entropy -collection is great detail, turn on full debugging ("ssh -v -v -v" or -"sshd -d -d -d"). This will list each program as it is executed, how -long it took to execute, its exit status and whether and how much data -it generated. You can the find the culprit programs which are causing -the real slow-downs. +Tuning the default entropy collection code is difficult at this point. +It requires doing 'times ./ssh-rand-helper' and modifying the +($etcdir)/ssh_prng_cmds until you have found the issue. In the next +release we will be looking at support '-v' for verbose output to allow +easier debugging. -The entropy collector will timeout programs which take too long +The default entropy collector will timeout programs which take too long to execute, the actual timeout used can be adjusted with the --with-entropy-timeout configure option. OpenSSH will not try to re-execute programs which have not been found, have had a non-zero @@ -79,5 +82,15 @@ up and various other factors. To make matters even more complex, some of the commands are reporting largely the same data as other commands (eg. the various "ps" calls). -$Id: WARNING.RNG,v 1.4 2001/02/09 01:55:36 djm Exp $ +How to avoid the default entropy code? + +The best way is to read the OpenSSL documentation and recompile OpenSSL +to use prngd or egd. Some platforms (like earily solaris) have 3rd +party /dev/random devices that can be also used for this task. + +If you are forced to use ssh-rand-helper consider still downloading +prngd/egd and configure OpenSSH using --with-prngd-port=xx or +--with-prngd-socket=xx (refer to INSTALL for more information). + +$Id: WARNING.RNG,v 1.5 2002/04/14 13:16:05 djm Exp $