1 This document contains a description of portable OpenSSH's random 2 number collection code. An alternate reading of this text could 3 well be titled "Why I should pressure my system vendor to supply 4 /dev/random in their OS". 5 6 Why is this important? OpenSSH depends on good, unpredictable numbers 7 for generating keys, performing digital signatures and forming 8 cryptographic challenges. If the random numbers that it uses are 9 predictable, then the strength of the whole system is compromised. 10 11 A particularly pernicious problem arises with DSA keys (used by the 12 ssh2 protocol). Performing a DSA signature (which is required for 13 authentication), entails the use of a 160 bit random number. If an 14 attacker can predict this number, then they can deduce your *private* 15 key and impersonate you or your hosts. 16 17 If you are using the builtin random number support (configure will 18 tell you if this is the case), then read this document in its entirety. 19 20 Please also request that your OS vendor provides a kernel-based random 21 number collector (/dev/random) in future versions of your operating 22 systems by default. 23 24 On to the description... 25 26 The portable OpenSSH contains random number collection support for 27 systems which lack a kernel entropy pool (/dev/random). 28 29 This collector operates by executing the programs listed in 30 ($etcdir)/ssh_prng_cmds, reading their output and adding it to the 31 PRNG supplied by OpenSSL (which is hash-based). It also stirs in the 32 output of several system calls and timings from the execution of the 33 programs that it runs. 34 35 The ssh_prng_cmds file also specifies a 'rate' for each program. This 36 represents the number of bits of randomness per byte of output from 37 the specified program. 38 39 The random number code will also read and save a seed file to 40 ~/.ssh/prng_seed. This contents of this file are added to the random 41 number generator at startup. The goal here is to maintain as much 42 randomness between sessions as possible. 43 44 The entropy collection code has two main problems: 45 46 1. It is slow. 47 48 Executing each program in the list can take a large amount of time, 49 especially on slower machines. Additionally some program can take a 50 disproportionate time to execute. 51 52 This can be tuned by the administrator. To debug the entropy 53 collection is great detail, turn on full debugging ("ssh -v -v -v" or 54 "sshd -d -d -d"). This will list each program as it is executed, how 55 long it took to execute, its exit status and whether and how much data 56 it generated. You can the find the culprit programs which are causing 57 the real slow-downs. 58 59 The entropy collector will timeout programs which take too long 60 to execute, the actual timeout used can be adjusted with the 61 --with-entropy-timeout configure option. OpenSSH will not try to 62 re-execute programs which have not been found, have had a non-zero 63 exit status or have timed out more than a couple of times. 64 65 2. Estimating the real 'rate' of program outputs is non-trivial 66 67 The shear volume of the task is problematic: there are currently 68 around 50 commands in the ssh_prng_cmds list, portable OpenSSH 69 supports at least 12 different OSs. That is already 600 sets of data 70 to be analysed, without taking into account the numerous differences 71 between versions of each OS. 72 73 On top of this, the different commands can produce varying amounts of 74 usable data depending on how busy the machine is, how long it has been 75 up and various other factors. 76 77 To make matters even more complex, some of the commands are reporting 78 largely the same data as other commands (eg. the various "ps" calls). 79 80
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.