openssh unix dev - Nov 2000 - OpenSSH entropy/PRNG (was: Why does ssh try to run df, netstat, arp ...?)

Nico--
SSH is trying to "get entropy" by taking the
(somewhat-deterministic) output of a bunch of
system commands, on those OSs that don't provide
a /dev/random or its equivalent.

The commands that it uses are in /etc/ssh_prng_cmds
or its equivalent on your system; just comment
out any of the lines (and stop/restart SSHd) in order
to change which system commands are used as inputs
to the Pseudo Random Noise Generator.  For our
network here, for example, I have commented out
the call to arp since that one change decreases
SSH session startup time significantly on our
Solaris boxen.

Related question:
Is anyone actively trying to get Yarrow or some other
algorithmic source of entropy into OpenSSH?  I suppose
this is really a question for the OpenSSL folks...

Rip Loomis		Voice Number: (410) 953-6874
--------------------------------------------------------
Senior Security Engineer
Center for Information Security Technology
Science Applications International Corporation
http://www.cist.saic.com

> -----Original Message-----
> From: Nico De Ranter [mailto:nico at sonycom.com]
> Sent: Friday, November 17, 2000 8:15 AM
> To: openssh-unix-dev at mindrot.org
> Subject: Why does ssh try to run df, netstat, arp ...?
> 
> 
> Howdy,
> 
> 
> I recently had a problem with one of our servers (crashed due to power
> failure :-). While this shouldn't have been a problem for most
> of the workstations and servers on the network I noticed that I
> wasn't able to use ssh anymore. Ssh would simply hang during 
> the connection.
> rsh and telnet however were able to connect without problem so there
> was no problem with the destination or the environment of the user.
> I noticed that for some strange reason ssh tries to run arp, 
> netstat and df
> during the connection (I can understand the use of arp and 
> netstat but why on
> earth df).  Unfortunately df blocks when it tries to measure the size
> of a filesystem which is mounted (e.g. by automount) but 
> unavailable (since
> the server crashed) I guess this is the reason why the ssh connection
> failed. Ofcourse having my whole network unreachable by ssh 
> just because
> one server goes down is totaly unacceptable (I might as well 
> start using
> Windows). How can I turn this behaviour off or can anybody give me a
> really really good reason why ssh would need df?
> 
> Thanks in advance,
> 
> Nico
> 
> 
> --------------------------------------------------------
>  "It has been said that there are only two businesses
>   refer to customers as users: illegal drug trade and
>                the computer industry." 
> --------------------------------------------------------
> Nico De Ranter
> Sony Service Center (SDCE/NEE-B)
> Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
> 1130 Brussel (Bruxelles), Belgium, Europe, Earth
> Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> e-mail: nico.deranter at sonycom.com
> 
>

On Fri, 17 Nov 2000, Loomis, Rip wrote:
> Related question:
> Is anyone actively trying to get Yarrow or some other
> algorithmic source of entropy into OpenSSH?  I suppose
> this is really a question for the OpenSSL folks...
Yarrow provides a similar infrastructure to the RAND_* functions
in OpenSSL - an entropy pool. You still have to come up with an
appropriate number of random bits.

Hassle your vendor for /dev/random support in their OS :)

-d

-- 
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm at
mindrot.org>
| works of Shakespeare. Now, thanks to the Internet, / 
| we know this is not true.'' - Robert Wilensky UCB /
http://www.mindrot.org