similar to: Entropy and DSA key

I remember a discussion to the effect that using DSA keys in sshd increases the requirement for random bits available on the system... and that this requirement (was it a 128 bit random number per connection?) presents security problems on systems that don't have a decent source of entropy? Am I misinterpreting those discussions? We are having a problem deploying sshd (no prngd) where sshd

On Thu, 27 Sep 2001 20:41:05 EDT, Damien Miller writes: > On Thu, 27 Sep 2001, Dan Astoorian wrote: > > > > > It would (IMHO) be useful if there were a way to optionally configure > > that code to fall back to the internal entropy gathering routines in the > > event that EGD was not available; as it is, the routines simply fail if > > EGD is unavailable at the

Hello! I am running openSSH 2.9x on an IRIX 6.5.x platform. This was recently installed using SGI-supplied "freeware" binaries. I find that as time goes on, it takes more attempts to establish an ssh connection from the IRIX platform to another machine, as it fails with "not enough entropy in PRNG." I posted a note asking for assistance, and received a reply suggesting I

Now that ssh-rand-helper has been segregated into a separate program, I'd like to revisit an old question about its entropy gathering. - would it be desirable to make it possible for ssh-rand-helper to fall back to external commands if PRNGD cannot be reached, instead of choosing one or the other at compile time? - When using PRNGD, the program gets 48 bytes of entropy from PRNGD,

I have a need to have the same OpenSSH binaries run on multiple machines which are administered by different people. That means on Solaris, for example, there will be some with /dev/random, some on which I can run prngd because they'll be installing my binaries as root, and some which will have neither because they will be only installed as non-root. Below is a patch to enable choosing all 3

I have a need to provide ssh client binaries for use elsewhere on several platforms, some without /dev/random support. I can't assume that users will know how to install/run prngd or egd, so I was planning to rely on the builtin prng code. However this require the ssh_prng_cmds file to exist in a fixed location -- which would mean making binaries which either look for it in . or other

Hi, I'm running openssh 2.1.1p4 on Solaris 7 (sparc). Occationally, when I boot up the server, the startup script I wrote to start sshd fails to start sshd with the following error: fatal: Not enough entropy in RNG What am I doing wrong?? Is there anything I can do to prevent this from happening? Is just restarting sshd a valid thing to do?? Thanks for any thoughts, David

[NOTE: I'm new to this list and this is my first approach to OpenSSH code.] I've enhanced "--with-prngd-port=PORT" flag to accept an optional hostname as in "myhost:myport", e.g.: % ./configure --with-prngd-port=example.com:12345 Although I'm certain that this may cause big trouble if remote gatherer isn't online (ssh will refuse to open any connection) I

Hi there, I have all my additional software mounted from one central place. Therefore I'm trying to limit all unnecessary local files. Local config files are ok... e.g. keys, ssh_config etc, but why needs ssh_prng_cmds to be in /etc? So why not put it into $bindir? There are no problems doing this with a few manual fixes. So are there any security concerns? Is it possible to make this a

This question is primarily for Damien, but if anybody else knows the answer please chime in. Why is it that on systems with no /dev/random or PRNGD or EGD (and I have a lot of Solaris systems in this situation because I don't have root access on them) that the OpenSSH 'ssh' command has to run through all those ssh_prng_cmds every time it starts up? Why doesn't ~/.ssh/prng_seed

Hi. I recently snookered myself: I build OpenSSH on an old box that didn't have /dev/random, but happened to be running prngd at the time for other reasons. Because I wanted to use commands, I configured --with-rand-helper, however configure found the prngd socket and built ssh-rand-helper to use it exclusively. Next reboot: no prngd, no random seed, no sshd. Do not log in, do not

Over the holidays, I intend to finally rid portable OpenSSH of the builtin entropy collection code. Here's what I intend to do: When init_rng is called, we'll check OpenSSL's RAND_status(). If this indicates that their PRNG is already seeded, we'll do nothing. This effectively detects platforms which have /dev/urandom (or similar) configured into OpenSSL. If OpenSSL isn't

http://bugzilla.mindrot.org/show_bug.cgi?id=400 Summary: ssh-keygen hangs Product: Portable OpenSSH Version: -current Platform: All URL: http://www.mgi-networks.com/ OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: ssh-keygen AssignedTo: openssh-unix-dev at

Hello, I'm attempting to port OpenSSH to IBM's S/390 mainframe. Things have gone well but I have come a little unstuck with the internal PRNG. Although the commands in ssh_prng_cmds are being executed the select() seems to be returning 0 and therefore the cose is assuming that the forked process has timed out. This could be a difference in the way that select is implemented on OS/390.

http://bugzilla.mindrot.org/show_bug.cgi?id=435 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|internal entropy gatherer |internal entropy gatherer ------- Additional Comments From dtucker at zip.com.au 2002-11-15 00:21 ------- Which platform did you

Heya, I have compiled and installed OpenSSH on a Solaris/Sparc machine and whenever I try to start any of the ssh programs I get "fatal: PRNG initialisation failed -- exiting" Now, I have looked through the mailing lists and have seen some mention that this indicates it can't open the ssh_prng_cmds file, which entropy.c also seems to indicate the problem is. However, this snippet

Hello, I apologize if this is the wrong list. It was the list I was directed towards. I have reviewed the archives as well as everything I could google before posting. Any help is most appreciated: We're seeing an error during sftp and ssh connections with consistent regularity. It's triggered by a high number of connections coming into sftp/ssh at the same time. It affects

This one-line patch prevents OpenSSH from depleting entropy unnecessarily from /dev/urandom when the OpenSSL library acquires its own entropy. Without this patch OpenSSH opens /dev/urandom and reads 32 bytes, and then OpenSSL opens it again and reads an additional 20. -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and

On Thu, 15 Nov 2001, Dan Astoorian wrote: > Date: Thu, 15 Nov 2001 16:09:20 -0500 > From: Dan Astoorian <djast at cs.toronto.edu> > To: Ed Phillips <ed at UDel.Edu> > Subject: Re: X11 cookies and forwarding > > On Thu, 15 Nov 2001 15:46:22 EST, Ed Phillips writes: > > I'm guess I wasn't following the whole cookies discussion completely > >

Hi! I have just made the 0.9.0 release of PRNGD available. PRNGD is the Pseudo Random Number Generator Daemon. It has an EGD compatible interface and is designed to provide entropy on systems not having /dev/*random devices. Software supporting EGD style entropy requests are openssh, Apache/mod_ssl, Postfix/TLS... Automatic querying of EGD sockets at fixed locations has been introduced in the