Hi,
I'm trying to build an openssh pkgadd package which is portable across
Solaris 2.6,7 & 8, so I can't rely on /dev/random support and must
instead fall back to ssh_prng_cmds for collecting entropy.
One of the default commands in ssh_prng_cmds "arp -a -n" is a problem
for any (2.6, at least) host which doesn't have an efficient/working DNS
or other name resolution system - basically, without name service, this
command hangs for a very long time, so effectively DoS'ing the sshd. The
problem is that 'arp -a' doesn't seem to recognise '-n', and
arp
desparately wants to resolve (at least) 224.0.0.0 (the interface
multicast address). The command doesn't add much entropy either, as
apart from the long wait, its output is the same as "netstat -pn" two
lines above (which does understand '-n' and doesn't hang on DNS).
Off course I can 'fix' it locally (remove it), and put the fix in my
package, but I thought I should report it here in the hope that its
'fixed' properly in a future release, and I have one less local patch to
worry about. Hopefully, this note in the archive might help some other
poor solaris user out in future too..
Cris
c.bailiff at devsecure.com
