openssh unix dev - Dec 2001 - [Bug 13] Need faster ssh startup when no /dev/random or prngd available

http://bugzilla.mindrot.org/show_bug.cgi?id=13

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement



------- Additional Comments From djm at mindrot.org  2001-12-12 11:46 -------
I don't like this - you could easily end up in a situation where you end up
using  essentially the same seed over and over again.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

On Wed, Dec 12, 2001 at 11:46:43AM +1100, bugzilla-daemon at mindrot.org
wrote:
> http://bugzilla.mindrot.org/show_bug.cgi?id=13
> 
> djm at mindrot.org changed:
> 
>            What    |Removed                     |Added
>
----------------------------------------------------------------------------
>            Severity|normal                      |enhancement
> 
> 
> 
> ------- Additional Comments From djm at mindrot.org  2001-12-12 11:46
-------
> I don't like this - you could easily end up in a situation where you
end up
> using  essentially the same seed over and over again.

I put the following response into bugzilla, but for some reason it
didn't send email to anybody:




------- Additional Comments From Dave Dykstra 2001-12-13 01:31 -------

No, that's not true, because every startup still adds small amounts of
easily
gathered entropy.  You could argue that that means people could guess all the
possibilities and try them all, but they can't because they do not know the
contents of the seed file which was originally generated from a large amount
of entropy.  The only added risk is that somebody may get hold of the seed
file, but if the ~/.ssh directory is not secured someone could easily break
in anyway so I maintain that it doesn't add any more overall risk.  There is
no way for someone to guess the contents of the seed file by examining network
traffic because the psuedo-random number generation process is not reversible.
As an added protection, the seed file is re-written with additional entropy
mixed in each time ssh is run.

You don't have to rely on just my arguments, either: the SSH 1.2.* series
did
this and there was never any CERT advisories nor complaints from crypto experts
about it, and pointing out SSH weaknesses have brought fame to many of them
so I'm sure that if there was a weakness here you would have heard about it.
Also, GnuPG does essentially the same thing on systems that don't have
/dev/random.

http://bugzilla.mindrot.org/show_bug.cgi?id=13

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX



------- Additional Comments From djm at mindrot.org  2001-12-29 00:57 -------
This is redundant now. You can implement whatever local policy you like using
shell script wrappers around the new ssh-rand-helper in -current CVS



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.