openssh unix dev - Oct 2001 - New feature: remote entropy gatherer port

[NOTE: I'm new to this list and this is my first
	approach to OpenSSH code.]

I've enhanced "--with-prngd-port=PORT" flag to accept an
optional hostname as in "myhost:myport", e.g.:

  % ./configure --with-prngd-port=example.com:12345

Although I'm certain that this may cause big trouble if remote
gatherer isn't online (ssh will refuse to open any connection)
I think it's an interesting enhancement, specially if you have an
specialized random gatherer in your local environment.

Imagine a server running egd or prngd feeding from the usual PRNG
shell commands. Then, add to that server some random traffic from
your local network or from other random gatherers like random.org
(e.g. http://random.org/cgi-bin/randbyte?nbytes=128&format=f ),
etc. Thus, all random requesters (OpenSSH, OpenSSL, GnuPG, etc.)
could use the same gatherer and requesters won't need to run all
those PRNG shell commands all the time (I've noticed 10 sec.
delays in some hosts that lack a random device).

I've attached the diff to openssh-2.9.9p2 (the last release I've
seen) and I'm planning to add some sshd_config options to select
PRNGD hostname and port but, first, I'd like to know what you
think about this.

Thanks.

--
Alex Muntada <alexm at ac.upc.es>
http://people.ac.upc.es/alexm/
-------------- next part --------------
*** acconfig.h.orig	Thu Sep 20 21:43:41 2001
--- acconfig.h	Tue Oct  2 20:25:35 2001
***************
*** 95,100 ****
--- 95,103 ----
  /* Location of PRNGD/EGD random number socket */
  #undef PRNGD_SOCKET
  
+ /* Port number of PRNGD/EGD random number host */
+ #undef PRNGD_HOST
+ 
  /* Port number of PRNGD/EGD random number socket */
  #undef PRNGD_PORT
  
*** configure.in.orig	Wed Sep 26 00:39:38 2001
--- configure.in	Tue Oct  2 20:34:09 2001
***************
*** 1494,1505 ****
  	]
  )
  
! # Check for PRNGD/EGD pool file
  AC_ARG_WITH(prngd-port,
! 	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD localhost:PORT],
  	[
  		if test ! -z "$withval" -a "x$withval" !=
"xno" ; then
! 			PRNGD_PORT="$withval"
  			AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
  		fi
  	]
--- 1494,1510 ----
  	]
  )
  
! # Check for PRNGD/EGD pool port (with remote host support)
  AC_ARG_WITH(prngd-port,
! 	[  --with-prngd-port=[HOST:]PORT  read entropy from PRNGD/EGD HOST:PORT
(default=localhost:PORT)],
  	[
  		if test ! -z "$withval" -a "x$withval" !=
"xno" ; then
! 			if test ! -z "$withval" -a "x$withval" !=
"xno" ; then
! 				PRNGD_HOST=`echo $withval | sed "s~:.*$~~"`
! 				AC_DEFINE_UNQUOTED(PRNGD_HOST, "$PRNGD_HOST")
! 			fi
! 
! 			PRNGD_PORT=`echo $withval | sed "s~^.*:~~"`
  			AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
  		fi
  	]
*** entropy.c.orig	Mon Aug  6 08:51:49 2001
--- entropy.c	Tue Oct  2 20:39:25 2001
***************
*** 90,95 ****
--- 90,98 ----
  	int fd;
  	char msg[2];
  #ifdef PRNGD_PORT
+ #ifdef PRNGD_HOST
+ 	struct hostent *he;
+ #endif
  	struct sockaddr_in addr;
  #else
  	struct sockaddr_un addr;
***************
*** 101,107 ****
--- 104,120 ----
  
  #ifdef PRNGD_PORT
  	addr.sin_family = AF_INET;
+ #ifdef PRNGD_HOST
+ 	he = gethostbyname(PRNGD_HOST);
+ 	if (he == NULL) {
+ 	        error("Could not get IP address for hostname %s.",
PRNGD_HOST);
+ 		goto done;
+ 	}
+ 
+ 	memcpy(&addr.sin_addr.s_addr, he->h_addr_list[0], sizeof(struct
in_addr));
+ #else /* use localhost IP address */
  	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ #endif
  	addr.sin_port = htons(PRNGD_PORT);
  	addr_len = sizeof(struct sockaddr_in);
  #else /* use IP socket PRNGD_SOCKET instead */
***************
*** 137,144 ****
--- 150,162 ----
  
  	if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) {
  #ifdef PRNGD_PORT
+ #ifdef PRNGD_HOST
+ 		error("Couldn't connect to PRNGD host %s port %d: %s",
+ 			PRNGD_HOST, PRNGD_PORT, strerror(errno));
+ #else
  		error("Couldn't connect to PRNGD port %d: %s",
  		    PRNGD_PORT, strerror(errno));
+ #endif
  #else
  		error("Couldn't connect to PRNGD socket \"%s\": %s",
  		    addr.sun_path, strerror(errno));

This has been talked about before (actually joked about because PRNGd
supports this idea with maybe a tweak or two), but the main question is
the security of the matter.  How easily would it be to insert a
predicatable set of information into this 'unencryption' data streem in
order to weaken the encryption.  Or just as bad someone hijacking the IP
of the box and feeding predictable data out to all clients.

What if your 'entropy host' is down (crashed machine, DoSed, etc).. Do
you
really wish to trust entropy collection off your machine?  I'd rather see
OSes implement the right kernel level tools instead of giving them an
excuse to say it is not required.

I'd rather not see anything like this go into the portable tree.  It will
end up being yet another option for uninformed people to use and screw up.
And thus blame on us for their lack of understanding (much like KeepAlive
and friends <sigh>).

On Tue, 2 Oct 2001, Alex Muntada wrote:
> 	[NOTE: I'm new to this list and this is my first
> 	approach to OpenSSH code.]
>
> I've enhanced "--with-prngd-port=PORT" flag to accept an
> optional hostname as in "myhost:myport", e.g.:
>
>   % ./configure --with-prngd-port=example.com:12345
>
> Although I'm certain that this may cause big trouble if remote
> gatherer isn't online (ssh will refuse to open any connection)
> I think it's an interesting enhancement, specially if you have an
> specialized random gatherer in your local environment.
>
> Imagine a server running egd or prngd feeding from the usual PRNG
> shell commands. Then, add to that server some random traffic from
> your local network or from other random gatherers like random.org
> (e.g. http://random.org/cgi-bin/randbyte?nbytes=128&format=f ),
> etc. Thus, all random requesters (OpenSSH, OpenSSL, GnuPG, etc.)
> could use the same gatherer and requesters won't need to run all
> those PRNG shell commands all the time (I've noticed 10 sec.
> delays in some hosts that lack a random device).
>
> I've attached the diff to openssh-2.9.9p2 (the last release I've
> seen) and I'm planning to add some sshd_config options to select
> PRNGD hostname and port but, first, I'd like to know what you
> think about this.
>
> Thanks.
>
> --
> Alex Muntada <alexm at ac.upc.es>
> http://people.ac.upc.es/alexm/
>

On Tue, 2 Oct 2001, Alex Muntada wrote:
> 	[NOTE: I'm new to this list and this is my first
> 	approach to OpenSSH code.]
> 
> I've enhanced "--with-prngd-port=PORT" flag to accept an
> optional hostname as in "myhost:myport", e.g.:
> 
>   % ./configure --with-prngd-port=example.com:12345
You didn't enhance, you broke. This will allow a local eavesdropper to
sniff the entropy on as it crosses your network.

If an attacker can sniif the entropy, they can predict session keys,
new host or user keys that are generated and can even determine
existing DSA keys. This makes the use of SSH worse than useless.

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor
man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan
Geer