RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- (djm) Random number collection doc fixes from Ben

This commit is contained in:
Damien Miller 2002-04-14 23:16:04 +10:00
parent 32e4818015
commit 49411ff8a7
3 changed files with 27 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -3,6 +3,7 @@
- Add commandline debugging options - Add commandline debugging options
- Don't write binary data if stdout is a tty (use hex instead) - Don't write binary data if stdout is a tty (use hex instead)
- Give it a manpage - Give it a manpage
- (djm) Random number collection doc fixes from Ben
20020413 20020413
- (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk> - (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk>
@ -8240,4 +8241,4 @@
- Wrote replacements for strlcpy and mkdtemp - Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1 - Released 1.0pre1
$Id: ChangeLog,v 1.2052 2002/04/14 09:27:12 djm Exp $ $Id: ChangeLog,v 1.2053 2002/04/14 13:16:04 djm Exp $

6
INSTALL
View File

@ -108,10 +108,6 @@ different name.
need a working installation of GNOME, including the development need a working installation of GNOME, including the development
headers, for this to work. headers, for this to work.
--with-random=/some/file allows you to specify an alternate source of
random numbers (the default is /dev/urandom). Unless you are absolutely
sure of what you are doing, it is best to leave this alone.
--with-prngd-socket=/some/file allows you to enable EGD or PRNGD --with-prngd-socket=/some/file allows you to enable EGD or PRNGD
support and to specify a PRNGd socket. Use this if your Unix lacks support and to specify a PRNGd socket. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy /dev/random and you don't want to use OpenSSH's builtin entropy
@ -222,4 +218,4 @@ Please refer to the "reporting bugs" section of the webpage at
http://www.openssh.com/ http://www.openssh.com/
$Id: INSTALL,v 1.50 2002/04/05 16:11:46 mouring Exp $ $Id: INSTALL,v 1.51 2002/04/14 13:16:05 djm Exp $

35
WARNING.RNG
View File

@ -28,8 +28,12 @@ On to the description...
The portable OpenSSH contains random number collection support for The portable OpenSSH contains random number collection support for
systems which lack a kernel entropy pool (/dev/random). systems which lack a kernel entropy pool (/dev/random).
This collector operates by executing the programs listed in This collector (as of 3.1 and beyond) comes as an external application
($etcdir)/ssh_prng_cmds, reading their output and adding it to the that allows the local admin to decide on how to implement entropy
collection.
The default entropy collector operates by executing the programs listed
in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the
PRNG supplied by OpenSSL (which is hash-based). It also stirs in the PRNG supplied by OpenSSL (which is hash-based). It also stirs in the
output of several system calls and timings from the execution of the output of several system calls and timings from the execution of the
programs that it runs. programs that it runs.
@ -43,7 +47,7 @@ The random number code will also read and save a seed file to
number generator at startup. The goal here is to maintain as much number generator at startup. The goal here is to maintain as much
randomness between sessions as possible. randomness between sessions as possible.
The entropy collection code has two main problems: The default entropy collection code has two main problems:
1. It is slow. 1. It is slow.
@ -51,14 +55,13 @@ Executing each program in the list can take a large amount of time,
especially on slower machines. Additionally some program can take a especially on slower machines. Additionally some program can take a
disproportionate time to execute. disproportionate time to execute.
This can be tuned by the administrator. To debug the entropy Tuning the default entropy collection code is difficult at this point.
collection is great detail, turn on full debugging ("ssh -v -v -v" or It requires doing 'times ./ssh-rand-helper' and modifying the
"sshd -d -d -d"). This will list each program as it is executed, how ($etcdir)/ssh_prng_cmds until you have found the issue. In the next
long it took to execute, its exit status and whether and how much data release we will be looking at support '-v' for verbose output to allow
it generated. You can the find the culprit programs which are causing easier debugging.
the real slow-downs.
The entropy collector will timeout programs which take too long The default entropy collector will timeout programs which take too long
to execute, the actual timeout used can be adjusted with the to execute, the actual timeout used can be adjusted with the
--with-entropy-timeout configure option. OpenSSH will not try to --with-entropy-timeout configure option. OpenSSH will not try to
re-execute programs which have not been found, have had a non-zero re-execute programs which have not been found, have had a non-zero
@ -79,5 +82,15 @@ up and various other factors.
To make matters even more complex, some of the commands are reporting To make matters even more complex, some of the commands are reporting
largely the same data as other commands (eg. the various "ps" calls). largely the same data as other commands (eg. the various "ps" calls).
$Id: WARNING.RNG,v 1.4 2001/02/09 01:55:36 djm Exp $
How to avoid the default entropy code?
The best way is to read the OpenSSL documentation and recompile OpenSSL
to use prngd or egd. Some platforms (like earily solaris) have 3rd
party /dev/random devices that can be also used for this task.
If you are forced to use ssh-rand-helper consider still downloading
prngd/egd and configure OpenSSH using --with-prngd-port=xx or
--with-prngd-socket=xx (refer to INSTALL for more information).
$Id: WARNING.RNG,v 1.5 2002/04/14 13:16:05 djm Exp $