openssh bugs - Jun 2010 - [Bug 1781] New: Document how to use Solaris 10 /dev/random

https://bugzilla.mindrot.org/show_bug.cgi?id=1781

           Summary: Document how to use Solaris 10 /dev/random
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: pepper at reppep.com


http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL says:

--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
support and to specify a PRNGd socket. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.

--with-prngd-port=portnum allows you to enable EGD or PRNGD support
and to specify a EGD localhost TCP port. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.


I hoped that the configure script would automatically use /dev/random,
but apparently not -- it says "Random number source: OpenSSL internal
ONLY".

root at thor:/# uname -a
SunOS thor 5.10 Generic_142901-08 i86pc i386 i86pc
root at thor:/# ls -l /dev/random /devices/pseudo/random at 0:random
lrwxrwxrwx   1 root     root          33 Oct 21  2009 /dev/random ->
../devices/pseudo/random at 0:random
crw-r--r--   1 root     sys      149,  0 Jun 10 11:27
/devices/pseudo/random at 0:random


I see configure arguments for a subprocess or PRNGd, but nothing
obvious to point at /dev/random (a character device). Should I just use
"--with-prngd-socket=/dev/random"? 

pepper at thor:~/cvs/openssh$ ./configure --help|egrep -i '(rand|prng)'
  --with-rand-helper      Use subprocess to gather strong randomness
  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP
localhost:PORT
  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE
(default=/var/run/egd-pool)


Perhaps the Solaris heading in README.platform should include a
suggestion?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1781

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME

--- Comment #1 from Damien Miller <djm at mindrot.org>  ---
If your platform supports /dev/random, and OpenSSL has been configured
to use it (if OpenSSL came with your system, or you compiled it on
there then it will almost certainly do so), then you can rely on its
internal seeding. 

If something is wrong (e.g. OpenSSL has not been configured to seed
from /dev/random) then the problem will be immediately apparent as ssh,
sshd, etc will throw loud error messages and refuse to start.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1781

--- Comment #2 from Chris Pepper <pepper at reppep.com>  ---
That makes sense, but then INSTALL or README.paltform should mention
that "OpenSSL internal ONLY" is likely to be acceptable if OpenSSL is
getting randomness from /dev/random. From the current wording, I
thought I needed to ensure that OpenSSH could access /dev/random
directly.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1781

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:44
EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.