similar to: OpenSSH (portable) and entropy gathering

I have a need to have the same OpenSSH binaries run on multiple machines which are administered by different people. That means on Solaris, for example, there will be some with /dev/random, some on which I can run prngd because they'll be installing my binaries as root, and some which will have neither because they will be only installed as non-root. Below is a patch to enable choosing all 3

On Tue, 6 Nov 2001, Dan Astoorian wrote: > Date: Tue, 6 Nov 2001 13:23:58 -0500 > From: Dan Astoorian <djast at cs.toronto.edu> > To: Dave Dykstra <dwd at bell-labs.com> > Cc: Ed Phillips <ed at UDel.Edu> > Subject: Re: Entropy and DSA key > > On Tue, 06 Nov 2001 10:54:12 EST, Dave Dykstra writes: > > > On Mon, 5 Nov 2001, Ed Phillips wrote: >

Now that ssh-rand-helper has been segregated into a separate program, I'd like to revisit an old question about its entropy gathering. - would it be desirable to make it possible for ssh-rand-helper to fall back to external commands if PRNGD cannot be reached, instead of choosing one or the other at compile time? - When using PRNGD, the program gets 48 bytes of entropy from PRNGD,

Over the holidays, I intend to finally rid portable OpenSSH of the builtin entropy collection code. Here's what I intend to do: When init_rng is called, we'll check OpenSSL's RAND_status(). If this indicates that their PRNG is already seeded, we'll do nothing. This effectively detects platforms which have /dev/urandom (or similar) configured into OpenSSL. If OpenSSL isn't

[NOTE: I'm new to this list and this is my first approach to OpenSSH code.] I've enhanced "--with-prngd-port=PORT" flag to accept an optional hostname as in "myhost:myport", e.g.: % ./configure --with-prngd-port=example.com:12345 Although I'm certain that this may cause big trouble if remote gatherer isn't online (ssh will refuse to open any connection) I

I'm trying to compile openssh with openssl 3.1 on a linux machine with kernel 4.15.10. I seem to get stuck at: configure: error: OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options I haven't done anything special in configuring openssl. If I have read the

Hi, I'm running openssh 2.1.1p4 on Solaris 7 (sparc). Occationally, when I boot up the server, the startup script I wrote to start sshd fails to start sshd with the following error: fatal: Not enough entropy in RNG What am I doing wrong?? Is there anything I can do to prevent this from happening? Is just restarting sshd a valid thing to do?? Thanks for any thoughts, David

OpenSSL 1.1.0 has deprecated this function. --- configure.ac | 1 + openbsd-compat/openssl-compat.c | 2 ++ openbsd-compat/openssl-compat.h | 4 ++++ 3 files changed, 7 insertions(+) diff --git a/configure.ac b/configure.ac index 3f7fe2cd..db2aade8 100644 --- a/configure.ac +++ b/configure.ac @@ -2710,6 +2710,7 @@ if test "x$openssl" = "xyes" ; then ])

This one-line patch prevents OpenSSH from depleting entropy unnecessarily from /dev/urandom when the OpenSSL library acquires its own entropy. Without this patch OpenSSH opens /dev/urandom and reads 32 bytes, and then OpenSSL opens it again and reads an additional 20. -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and

I have successfully compiled OpenSSH 3.1p1 for the following systems: Solaris 8 Solaris 7 Irix 6.5.14 Irix 6.5.4 SunOS 4.1.3_U1 Unfortunately, the new sshd is not working on any of the above systems with the exception of Solaris 7. (I then put the Solaris 7 executables on Solaris 8, and they worked there too.) This is the error I'm getting: $ /usr/etc/sshd -D -d -d -d debug3: Seeing PRNG

In 2.3.0, the per-user config file was read before the system-wide config file, so options set in ~/.ssh/config took precedence over system-wide defaults. In 2.9.9, the system-wide file seems to be read first, contrary to the man page (cf. ssh.c ll. 631-632). It seems to me that the old behaviour made more sense. (I discovered the change because I could not override a "ForwardX11"

Hello! I am running openSSH 2.9x on an IRIX 6.5.x platform. This was recently installed using SGI-supplied "freeware" binaries. I find that as time goes on, it takes more attempts to establish an ssh connection from the IRIX platform to another machine, as it fails with "not enough entropy in PRNG." I posted a note asking for assistance, and received a reply suggesting I

I remember a discussion to the effect that using DSA keys in sshd increases the requirement for random bits available on the system... and that this requirement (was it a 128 bit random number per connection?) presents security problems on systems that don't have a decent source of entropy? Am I misinterpreting those discussions? We are having a problem deploying sshd (no prngd) where sshd

I just ran into what I'd describe as an unexpected side-effect. I don't think it's necessarily a bug, and I don't need any assistance in working around it, but this information might be useful to others for troubleshooting. This was using OpenSSH built under Solaris 2.5.1, and running under 2.5.1 or 8. The symptom was that after upgrading from 3.7.1p1 to 3.7.1p2, some accounts

There are a couple of issues regarding egd support in OpenSSH. 1) SIGPIPE is not ignored for the master listener daemon. I put the signal() call early on since it needs to be before get_random_bytes() is called but it could also be placed in the EGD version of get_random_bytes(). For some reason, with prngd I am getting SIGPIPE even though the prngd processes is not dying.

I've discovered a problem with OpenSSH 2.9.9p2 under Solaris 2.5.1 . In auth.c, secure_filename() walks upwards toward the user's home directory or the filesystem root, verifying that no directories along the way are group or world writable. Solaris 2.5.1's dirname() function has a bug where dirname("/.ssh") returns an empty string instead of "/". This causes

I have a need to provide ssh client binaries for use elsewhere on several platforms, some without /dev/random support. I can't assume that users will know how to install/run prngd or egd, so I was planning to rely on the builtin prng code. However this require the ssh_prng_cmds file to exist in a fixed location -- which would mean making binaries which either look for it in . or other

On Sun, 19 Mar 2023 at 12:25, Nathan Wagner <nw at hydaspes.if.org> wrote: > I'm trying to compile openssh with openssl 3.1 on a linux machine with > kernel 4.15.10. I seem to get stuck at: > > configure: error: OpenSSH has no source of random numbers. Please > configure OpenSSL with an entropy source or re-run configure using one > of the --with-prngd-port or

Before I actually implement the small changes needed to allow the location of ssh-rand-helper to be specified in the config file, I'd like to check that in doing so I won't be opening up a huge security hole. My brief reading of the code suggests that in entropy.c:seed_rng() the ssh-rand-helper is run as the original uid (for binaries which were setuid in the first place of course), so I

I did this as a project back in the early 2002, and I had a nice little how-to to walk me through it. Many work places and moves, and I've lost it. I have a friend who asked me about this recently, and I can't seem to find anything on the web, or the how-to I used (not surprised). If I remember correctly, you needed an up-to-date zlib, egd (or prng), OpenSSL, tcpwrappers, and OpenSSH.