X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/cdd66111973295c976f1a0bb57f571eba0513757..39e70dec76acc4f638f7a209dcd8b4d40feba8f0:/openssh/WARNING.RNG diff --git a/openssh/WARNING.RNG b/openssh/WARNING.RNG index 71e2390..1b9137e 100644 --- a/openssh/WARNING.RNG +++ b/openssh/WARNING.RNG @@ -28,12 +28,8 @@ On to the description... The portable OpenSSH contains random number collection support for systems which lack a kernel entropy pool (/dev/random). -This collector (as of 3.1 and beyond) comes as an external application -that allows the local admin to decide on how to implement entropy -collection. - -The default entropy collector operates by executing the programs listed -in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the +This collector operates by executing the programs listed in +($etcdir)/ssh_prng_cmds, reading their output and adding it to the PRNG supplied by OpenSSL (which is hash-based). It also stirs in the output of several system calls and timings from the execution of the programs that it runs. @@ -44,24 +40,25 @@ the specified program. The random number code will also read and save a seed file to ~/.ssh/prng_seed. This contents of this file are added to the random -number generator at startup. The goal here is to maintain as much +number generator at startup. The goal here is to maintain as much randomness between sessions as possible. -The default entropy collection code has two main problems: +The entropy collection code has two main problems: 1. It is slow. -Executing each program in the list can take a large amount of time, -especially on slower machines. Additionally some program can take a -disproportionate time to execute. +Executing each program in the list can take a large amount of time, +especially on slower machines. Additionally some program can take a +disproportionate time to execute. -Tuning the default entropy collection code is difficult at this point. -It requires doing 'times ./ssh-rand-helper' and modifying the -($etcdir)/ssh_prng_cmds until you have found the issue. In the next -release we will be looking at support '-v' for verbose output to allow -easier debugging. +This can be tuned by the administrator. To debug the entropy +collection is great detail, turn on full debugging ("ssh -v -v -v" or +"sshd -d -d -d"). This will list each program as it is executed, how +long it took to execute, its exit status and whether and how much data +it generated. You can the find the culprit programs which are causing +the real slow-downs. -The default entropy collector will timeout programs which take too long +The entropy collector will timeout programs which take too long to execute, the actual timeout used can be adjusted with the --with-entropy-timeout configure option. OpenSSH will not try to re-execute programs which have not been found, have had a non-zero @@ -82,15 +79,5 @@ up and various other factors. To make matters even more complex, some of the commands are reporting largely the same data as other commands (eg. the various "ps" calls). - -How to avoid the default entropy code? - -The best way is to read the OpenSSL documentation and recompile OpenSSL -to use prngd or egd. Some platforms (like earily solaris) have 3rd -party /dev/random devices that can be also used for this task. - -If you are forced to use ssh-rand-helper consider still downloading -prngd/egd and configure OpenSSH using --with-prngd-port=xx or ---with-prngd-socket=xx (refer to INSTALL for more information). - $Id$ +