I've installed Sun's SUNWski package on Solaris 8 (32-bit) that provides a /dev/random interface. It appears to as cat'ing it gives me a bunch of well, random data. However, when I ran my configure, it gives me the WARNING.RND message to the effect that I'm using the built-in. I've seen allusions on this list to building openssl with to get random support, so I rebuilt it and then rerun configure for openssh. No changes. OpenSSL made references to a RANDFILE environment variable, so I set it, reconfigured and built openssl, then reconfigured openssh. I'm still getting the message that I have built-in random source. What gives? What do I have to do to get openssh or openssl to see my /dev/random? Thanks, Jason Lacoss-Arnold TS/Unix Architecture 314-955-8501 *************************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. *************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020411/36118a00/attachment.html
* Lacoss-Arnold, Jason <Jason.Lacoss-Arnold at AGEDWARDS.com> [2002-04-11T07:17-0700]:> What gives? What do I have to do to get openssh or openssl to see my > /dev/random?OpenSSL looks for /dev/urandom by default, and might be missing the /dev/random device ANDIrand installs: *** e_os.h.orig Thu Nov 8 06:36:49 2001 --- e_os.h Thu Apr 11 07:29:43 2002 *************** *** 79,85 **** #ifndef DEVRANDOM /* set this to your 'random' device if you have one. * My default, we will try to read this file */ ! #define DEVRANDOM "/dev/urandom" #endif #if defined(__MWERKS__) && defined(macintosh) --- 79,85 ---- #ifndef DEVRANDOM /* set this to your 'random' device if you have one. * My default, we will try to read this file */ ! #define DEVRANDOM "/dev/random" #endif #if defined(__MWERKS__) && defined(macintosh)> WARNING: All e-mail sent to and from this address will be received or > otherwise recorded by the A.G. Edwards corporate e-mail system and is > subject to archival, monitoring or review by, and/or disclosure to, > someone other than the recipient./me waves at the nice lawyers -- Jeremy Mates http://www.sial.org/ OpenPGP: 0x11C3D628 (4357 1D47 FF78 24BB 0FBF 7AA8 A846 9F86 11C3 D628)
On Thu, 11 Apr 2002, Lacoss-Arnold, Jason wrote:> Date: Thu, 11 Apr 2002 09:10:48 -0500 > From: "Lacoss-Arnold, Jason" <Jason.Lacoss-Arnold at AGEDWARDS.com> > To: "'openssh-unix-dev at mindrot.org'" <openssh-unix-dev at mindrot.org> > Subject: getting OpenSSH/OpenSSL to utilize /dev/random > > I've installed Sun's SUNWski package on Solaris 8 (32-bit) that provides a > /dev/random interface. It appears to as cat'ing it gives me a bunch of > well, random data. > > However, when I ran my configure, it gives me the WARNING.RND message to the > effect that I'm using the built-in. I've seen allusions on this list to > building openssl with to get random support, so I rebuilt it and then rerun > configure for openssh. No changes. OpenSSL made references to a RANDFILE > environment variable, so I set it, reconfigured and built openssl, then > reconfigured openssh. I'm still getting the message that I have built-in > random source. > > What gives? What do I have to do to get openssh or openssl to see my > /dev/random?I had a similar problem. The key is that you don't have to build OpenSSL 0.9.6c in any special way to get /dev/urandom support (on Solaris 8 at least) - it appears to try to use it if it's there at run-time (when OpenSSH is compiled on any Unix system). As a matter of fact, there doesn't appear to be any user-configurable options at all for /dev/urandom support in OpenSSL. In e_os.h, DEVRANDOM is set to "/dev/urandom" and in crypto/rand/rand_win.c, if you're not compiling on Win32, there is code in RAND_poll() that calls open(DEVRANDOM...). So, the real trick to be rid of the OpenSSH internal entropy stuff and use only /dev/urandom is to configure OpenSSH with "--with-rand-helper=no" and there will be no warning about how you've configured OpenSSH to use the random helper stuff. Hope this helps... Ed Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key
i have used the SUNWski, ANDIrand, and sun's new (solaris 8 patch 112438)
PRNG. they all work just fine.
as i recall SUNWski, by default, only provides a /dev/random interface. you
can modify the startup script to either provide /dev/urandom instead or
provide both /dev/random and /dev/urandom, of course the catch here is that
urandom is supposed to be non-blocking and the interface provided by SUNWski
is blocking. i have seen connection startup hang when using the SUNWski
package on "quiet" machines due to entropy pool depletion, but only
when
there are a fairly large number of session connections.
i've used ANDIrand on Solaris 2.6, 7 and 8 for the past two years with no
problems. i have just finished converting my Solaris 8 systems to use sun's
new PRNG as sun will support it and it is the package that will be shipped
with Solaris 9 and on.
i build OpenSSL with this script:
env \
CC=cc \
CXX=CC \
CFLAGS="-fast -I/local/include" \
CPPFLAGS="-I/local/include" \
CXXFLAGS="-fast -I/local/include" \
LDFLAGS="-L/local/lib -R/local/lib" \
TMPDIR="/tmp" \
./Configure \
--prefix=/local \
threads \
shared \
solaris-sparcv9-cc
if ( $? == 0 ) then
gmake
endif
then build OpenSSH with this script:
env \
CC=cc \
CXX=CC \
CFLAGS="-fast -I/local/include" \
CPPFLAGS="-I/local/include" \
LDFLAGS="-L/local/lib -R/local/lib" \
TMPDIR="/tmp" \
./configure \
--prefix=/local \
--sysconfdir=/etc/openssh \
--localstatedir=/var \
--with-tcp-wrappers \
--with-pam \
--with-ssl-dir=/local \
--disable-suid-ssh \
--with-pid-dir=/var/run
if ( $? == 0 ) then
gmake
endif
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com