I am trying to run the configure for 1.2.2 on an intel solaris 2.7 box and I get an error for urandom not found. I cant find anything related to rand, urand, random, rng, or urandom on my box. How can I get around this, or where can I get urandom? Chris
A non-text attachment was scrubbed... Name: fallback-openssh.diff Type: application/octet-stream Size: 3197 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000215/3c1cec94/attachment.obj
In message <51k8k6secr.fsf at trh.sim.no>, Morten Eriksen writes:>Here's a patch I've written which makes the code fall back on srand() >and rand() if neither /dev/urandom nor the EGD is available. > >Note that this has implications for the security of your ssh/sshd >installation, and if I've understood the discussion from last week >correctly, something like this will never actually make it into the >distribution -- not even only as a last resort fallback.I am sorry. It seems to me that you understand why using such a patch is completely wrong. So, why do you post it here? If there is no way to get good randomness than openssh should terminate. Your operating system should provide application programs with a source of randomness. If it doesnt, than it needs to be fixed. You might want to look into a user provided one-time randomness file. While not perfect, it is certainly better than using rand(). Niels.
* Niels Provos> I am sorry. It seems to me that you understand why using such a > patch is completely wrong. So, why do you post it here?First you snip away the text where I explain why I posted it ("if I've understood the discussion from last week correctly, something like this will never actually make it into the distribution [...] But I don't know much about the issues involved, and I might be wrong."), then you ask why I posted it? Come on, give me a break.> You might want to look into a user provided one-time randomness > file. While not perfect, it is certainly better than using rand().Sounds like a good idea, and I guess this is what the original ssh does when it asks the user to move the mouse around or bang the keyboard, right? Would there be any point in submitting a patch which implements the same "file of randomness" generation as ssh? Or would that just be "super-seeded" (*ough* what a terrible pun) by the effort to port Yarrow? Regards, Morten Eriksen