search for: init_rng

...t; From: Mats Andersson [mailto:mats at mindbright.se] > Sent: Tuesday, March 13, 2001 12:30 AM > To: Lewandowsky, Matt > Cc: 'Gert Doering'; J.S.Peatfield at damtp.cam.ac.uk; dwd at bell-labs.com; > openssh-unix-dev at mindrot.org > Subject: ssh through proxy (was: prng_cmds/init_rng() question/patch) > > > > Hi, > > Sorry for pushing this even further off topic but since > someone mentioned > MindTerm I couldn't resist answering :-) > > On Mon, 12 Mar 2001, Lewandowsky, Matt wrote: > > Is there anything like this atm which uses the...

...that if the file can't be opened -- at a cost of about +2K to the client size.. (I considered having a command line option to specify the location but that would mean changes in too many other places). Having got some working code, it took me some time to spot that debug/verbose do nothing in init_rng() since it is called before options processing. It is also called before giving up any privelage. Is this right? Would it be safe to move the call to init_rng() to later when we have options and have dropped priv? I don't know which calls need the rng to have already been initialized. My cu...

https://bugzilla.mindrot.org/show_bug.cgi?id=1932 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Set all RESOLVED bugs to CLOSED with release

Correct me if I'm wrong, but init_rng() in entropy.c doesn't call seed_rng(), and in fact seed_rng() isn't called from _anywhere_ (in openssh-2.5.1p2). So calls to BN_rand() only pick up the tiny/non-existent amount of entropy added by BN_rand() itself from the system clock (time in seconds). Shouldn't seed_rng() be calle...

...ndom number generator"); - - if (!get_random_bytes(buf, sizeof(buf))) { - if (!RAND_status()) - fatal("Entropy collection failed and entropy exhausted"); - } else { - RAND_add(buf, sizeof(buf), sizeof(buf)); - } - - memset(buf, '\0', sizeof(buf)); - } - - void - init_rng(void) - { - check_openssl_version(); - } - - #else /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ /* * FIXME: proper entropy estimations. All current values are guesses * FIXME: (ATL) do estimates at compile time? --- 208,215 ---- return(1); } #endif /* RANDOM_POOL */ + #i...

...at cup.hp.com ssh-keygen reports a fatal error while trying to update the comment field of an RSA1 key. The error reported is "Couldn't obtain random bytes (error 604389476)" This happens because somewhere between 3.0.2p1 and 3.1p1 (the two versions I examined), the calls to the init_rng() and seed_rng() in the main function got moved from near the beginning of the function to after where all the options are processed. The function do_change_comment() handles the comment changing and is called during option processing. do_change_comment() calls a function save the key file, whi...

...diff --git a/ssh.c b/ssh.c index d32ef78..8ebcc88 100644 --- a/ssh.c +++ b/ssh.c @@ -230,12 +230,25 @@ main(int ac, char **av) struct servent *sp; Forward fwd; - /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ - sanitise_stdfd(); - __progname = ssh_get_progname(av[0]); init_rng(); +#ifndef HAVE_SETPROCTITLE + /* Prepare for later setproctitle emulation */ + { + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + char **saved_argv = xcalloc(ac + 1, sizeof(*saved_argv)); + for (i = 0; i < ac; i++) + saved_argv[i] = xstrdup(av[i]); + save...

...eyscan.c 21 Aug 2003 23:34:41 -0000 1.56 +++ ssh-keyscan.c 10 Sep 2003 18:59:01 -0000 @@ -694,8 +694,10 @@ main(int argc, char **argv) int opt, fopt_count = 0; char *tname; +#ifndef HAVE_GETOPT_H extern int optind; extern char *optarg; +#endif __progname = ssh_get_progname(argv[0]); init_rng(); Index: ssh-rand-helper.c =================================================================== RCS file: /cvs/openssh_cvs/ssh-rand-helper.c,v retrieving revision 1.13 diff -p -u -r1.13 ssh-rand-helper.c --- ssh-rand-helper.c 21 Aug 2003 23:34:41 -0000 1.13 +++ ssh-rand-helper.c 10 Sep 2003 18:59:0...

Over the holidays, I intend to finally rid portable OpenSSH of the builtin entropy collection code. Here's what I intend to do: When init_rng is called, we'll check OpenSSL's RAND_status(). If this indicates that their PRNG is already seeded, we'll do nothing. This effectively detects platforms which have /dev/urandom (or similar) configured into OpenSSL. If OpenSSL isn't seeded, we will fork+suid(user)+exec a subprocess...

Hi all, attached is a patch that enables using hardware crypto accelerators available through OpenSSL library for SSH operations. Especially in ssh/sshd it can bring a significant speed improvement. OTOH if no crypto engine is available, nothing bad happens and default software crypto routines are used. This patch is used in SUSE Linux OpenSSH package and proved to work (at least it didn't

...(SSLeay() != OPENSSL_VERSION_NUMBER) > > fatal("OpenSSL version mismatch. Built against %x, you have %x", > > OPENSSL_VERSION_NUMBER, SSLeay()); > > > > at the start of every executable to kill this thing once > and for all. > > I might put this in init_rng() so we get it without any more > disruption. > > -d > > -- > | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are > the poor man's > | http://www.mindrot.org / distributed > filesystem'' - Dan Geer > >

We've run into an interesting dilemma regarding last log information and ssh 4.2p1. In 3.8, we didn't see this problem, but now has cropped up in 4.2. When a user logs in, sshd seems to call 'last' to get the last log information. 'last' then opens the /var/log/wtmp file and processes the information. On some systems, this file can be quite large, and we're seeing

...NULL; + +Options options; + +uid_t original_real_uid; + static void clear_pass(void) { @@ -311,12 +317,30 @@ AuthenticationConnection *ac = NULL; char *sc_reader_id = NULL; int i, ch, deleting = 0, ret = 0; + char buf[256]; + struct passwd *pw; __progname = ssh_get_progname(argv[0]); init_rng(); seed_rng(); SSLeay_add_all_algorithms(); + + /* Read options */ + initialize_options(&options); + + pw = getpwuid(original_real_uid = getuid()); + if (!pw) { + logit("You don't exist, go away!"); + exit(1); + } + + snprintf(buf, sizeof buf, "%.100s/%.100s", p...

On Thu, 27 Sep 2001 20:41:05 EDT, Damien Miller writes: > On Thu, 27 Sep 2001, Dan Astoorian wrote: > > > > > It would (IMHO) be useful if there were a way to optionally configure > > that code to fall back to the internal entropy gathering routines in the > > event that EGD was not available; as it is, the routines simply fail if > > EGD is unavailable at the

...000 +1100 +++ openssh-3.6p1/sshd.c 2003-03-10 11:38:10.000000000 +1100 @@ -804,8 +821,23 @@ Key *key; int ret, key_used = 0; - /* Save argv. */ +#ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); +#endif + __progname = get_progname(av[0]); + init_rng(); + + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + saved_argc = ac; saved_argv = av; + saved_argv = xmalloc(sizeof(*saved_argv) * ac); + for (i = 0; i < ac; i++) + saved_argv[i] = xstrdup(av[i]); + +#ifndef HAVE_SETP...

...rm && !id->confirm) || confirm_key(id) == 0)) + if (id != NULL && (!id->confirm || confirm_key(id) == 0)) ok = key_sign(id->key, &signature, &slen, data, dlen); } key_free(key); @@ -1029,7 +1026,7 @@ init_rng(); seed_rng(); - while ((ch = getopt(ac, av, "Ccdksa:t:")) != -1) { + while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { switch (ch) { case 'c': if (s_flag) @@ -1058,9 +1055,6 @@...

Out of the box on Solaris 2.7 using the internal entropy system. I am able to login but as soon as I get past the password prompt it dies because it claims the RNG is not initialised. Transcript: [..] debug: got SSH2_MSG_SERVICE_ACCEPT You have entered the land of dragons and mystical creatures. This server does not exist.

....\n"); fprintf(stderr, " -a socket Bind agent socket to given name.\n"); fprintf(stderr, " -t life Default identity lifetime (seconds).\n"); + fprintf(stderr, " -i cmd Command to run on new connection.\n"); exit(1); } @@ -1047,7 +1093,7 @@ init_rng(); seed_rng(); - while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { + while ((ch = getopt(ac, av, "cdksa:i:t:")) != -1) { switch (ch) { case 'c': if (s_flag) @@ -1070,6 +1116,10 @@ case 'a': agentsocket = optarg; break; + case 'i'...

...en i connecting this server from remote syytem.?i got an error of buufer_get:trying to get more bytes 1 than buffer0.And client is not connecting from remote system.My out is as follows on my server ?in sshd main before sh_get_programme./bcm.user ?in have programme after ssh_get_programme after init_rng before xmalloc after xmalloc before initiliase serveroptions in initilise sever options after initiliase serveroptions before ssleay add algorithms after ssleay add algorithms in channel set before log init after log init before seed_rng after seed_rng before read_server_config after read_se...

The following aix patch to configure.in forces /usr/include to be searched before /usr/local/include on AIX systems only. This allows the normal include rules to untangle <login.h> from "login.h" on AIX when using the AIX cc compiler or gcc. Please see that it gets applied to the current cvs source tree. It fixes the only compile time error the current cvs tree has on aix with