Hello all, I tried OpenSSH versions 2.1.1p4, 2.2.0p1 and the latest snapshot briefly on 64-bit Irix 6.5.7f an 6.5.9m. Both times, no matter what I do, I'll get 'PRNG initialization failed -- exiting'. This happens with ssh-keygen (the keys aren't even generated yet, ssh binary etc.) It's clear that Irix etc. don't have a proper entropy pool like *BSD and Linux do, but shouldn't this be at least usable? FWIW, consigure shows for entropy source: Builtin (timeout 200). I read a mention or two about entropy daemons and such, but I'm not sure if those should be a must to get this to run.. Any ideas what might be wrong here? -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall"
Play with your ${BASEDIR}/etc/ssh_prng_cmds file. On NeXT I had to
change most of the numbers almost up to 0.8 in order to get enough
PRNG. Granted.. You want those numbers as low as possible. If you do a:
ssh -v site.com it will show you how much PRNG is generated (you need at
least 16bytes).
- Ben
On Thu, 28 Sep 2000, Pekka Savola wrote:
> Hello all,
>
> I tried OpenSSH versions 2.1.1p4, 2.2.0p1 and the latest snapshot briefly
> on 64-bit Irix 6.5.7f an 6.5.9m.
>
> Both times, no matter what I do, I'll get 'PRNG initialization
failed
> -- exiting'. This happens with ssh-keygen (the keys aren't even
generated
> yet, ssh binary etc.)
>
> It's clear that Irix etc. don't have a proper entropy pool like
*BSD and
> Linux do, but shouldn't this be at least usable?
>
> FWIW, consigure shows for entropy source: Builtin (timeout 200).
>
> I read a mention or two about entropy daemons and such, but I'm not
sure
> if those should be a must to get this to run..
>
> Any ideas what might be wrong here?
>
> --
> Pekka Savola "Tell me of difficulties surmounted,
> Pekka.Savola at netcore.fi not those you stumble over and fall"
>
>
> -----Original Message----- > From: Ben Lindstrom [mailto:mouring at pconline.com] > > Play with your ${BASEDIR}/etc/ssh_prng_cmds file. On NeXT I had to > change most of the numbers almost up to 0.8 in order to get enough > PRNG. Granted.. You want those numbers as low as possible. > If you do a: > ssh -v site.com it will show you how much PRNG is generated > (you need at > least 16bytes).I'm assuming that I just don't know how to read, but what does that line look like? This would be my guess, but I'm not real sure, as it isn't clear what this is talking about (to me). debug: len 55 datafellows 0 Greg
On Thu, 28 Sep 2000, Pekka Savola wrote:> Hello all, > > I tried OpenSSH versions 2.1.1p4, 2.2.0p1 and the latest snapshot briefly > on 64-bit Irix 6.5.7f an 6.5.9m. > > Both times, no matter what I do, I'll get 'PRNG initialization failed > -- exiting'. This happens with ssh-keygen (the keys aren't even generated > yet, ssh binary etc.) > > It's clear that Irix etc. don't have a proper entropy pool like *BSD and > Linux do, but shouldn't this be at least usable? > > FWIW, consigure shows for entropy source: Builtin (timeout 200). > > I read a mention or two about entropy daemons and such, but I'm not sure > if those should be a must to get this to run..Portable OpenSSH tries to collect randomness by running commands and stirring their output into OpenSSL's random pool. If enough commands fail, or not data is read from said commands then you will fail with the above error message. You may want to adjust the commands in the ssh_prng_cmds to suit your system. If you have any favourites, please send them to me for inclusion. Alternately you can debug the execution of the commands by defining the DEBUG_ENTROPY flag in entropy.c -d -- | ``The power of accurate observation is | Damien Miller <djm at mindrot.org> | commonly called cynicism by those who | @Work <djm at ibs.com.au> | have not got it'' - George Bernard Shaw | http://www.mindrot.org
On Thu, Sep 28, 2000 at 12:46:53AM +0300, Pekka Savola wrote:> Hello all, > > I tried OpenSSH versions 2.1.1p4, 2.2.0p1 and the latest snapshot briefly > on 64-bit Irix 6.5.7f an 6.5.9m. > > Both times, no matter what I do, I'll get 'PRNG initialization failed > -- exiting'. This happens with ssh-keygen (the keys aren't even generated > yet, ssh binary etc.) >I've had some minor problems with netstat timing out when used for PRNG on IRIX, so I just commented the netstat lines out from etc/ssh_prng_cmds. Works much better now. -jf