Hi there, I have all my additional software mounted from one central place. Therefore I'm trying to limit all unnecessary local files. Local config files are ok... e.g. keys, ssh_config etc, but why needs ssh_prng_cmds to be in /etc? So why not put it into $bindir? There are no problems doing this with a few manual fixes. So are there any security concerns? Is it possible to make this a configuration option in the furure? Best regards, Armin
On Thu, 5 Apr 2001, Armin Kunaschik wrote:> Hi there, > > I have all my additional software mounted from one central place. > Therefore I'm trying to limit all unnecessary local files. > Local config files are ok... e.g. keys, ssh_config etc, but why > needs ssh_prng_cmds to be in /etc? So why not put it into $bindir? > There are no problems doing this with a few manual fixes. So > are there any security concerns? Is it possible to make this a > configuration option in the furure? >I don't agree with 'ssh_prng_cmds' being in $bindir. It's a configuration file, and therefor should be in /etc or ${PREFIX}/etc. Putting it in ${BINDIR} is illogical and not something that people would think of without refering to any technical notes you leave behind if you were to leave for vacation or a new job. However, I suggest you really use PRNGd instead of the built in entropy generation if you can. You get higher quality entropy and you don't have to worry about 'ssh_prng_cmds' in /etc. - Ben
On Thu, 5 Apr 2001, Armin Kunaschik wrote:> Hi there, > > I have all my additional software mounted from one central place. > Therefore I'm trying to limit all unnecessary local files. > Local config files are ok... e.g. keys, ssh_config etc, but why > needs ssh_prng_cmds to be in /etc? So why not put it into $bindir? > There are no problems doing this with a few manual fixes. So > are there any security concerns? Is it possible to make this a > configuration option in the furure?You are better off using PRNGd[1] rather than portable OpenSSH's own RNG. It is more secure, reduces your system load and is more configurable. -d [1] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer
>You are better off using PRNGd[1] rather than portable OpenSSH's >own RNG. It is more secure, reduces your system load and is more >configurable.I'm not sure if I understand this. I have checked PRNGd out... it uses the same scheme (output from various system commands) to get random bytes. The should causes the same amount of system load!? I don't know if it's more secure... but the amount of work is higher, especially in a heterogenous environment. Therefore I would prefer the buildin feature... Are there any plans to include the PRNGd functionality into OpenSSH? Regards, Armin