[openssh.git] / WARNING.RNG

This document contains a description of portable OpenSSH's random
number collection code. An alternate reading of this text could
well be titled "Why I should pressure my system vendor to supply
/dev/random in their OS".

Why is this important? OpenSSH depends on good, unpredictable numbers
for generating keys, performing digital signatures and forming
cryptographic challenges. If the random numbers that it uses are
predictable, then the strength of the whole system is compromised.

A particularly pernicious problem arises with DSA keys (used by the
ssh2 protocol). Performing a DSA signature (which is required for
authentication), entails the use of a 160 bit random number.  If an
attacker can predict this number, then they can deduce your *private*
key and impersonate you.

If you are using the builtin random number support (configure will
tell you if this is the case), then read this document in its entirety
and consider disabling ssh2 support (by adding "Protocol 1" to
sshd_config and ssh_config).

Please also request that your OS vendor provides a kernel-based random
number collector (/dev/random) in future versions of your operating
systems.

On to the description...

The portable OpenSSH contains random number collection support for
systems which lack a kernel entropy pool (/dev/random).

This collector operates by executing the programs listed in
($etcdir)/ssh_prng_cmds, reading their output and adding it to the
PRNG supplied by OpenSSL (which is hash-based). It also stirs in the
output of several system calls and timings from the execution of the
programs that it runs.

The ssh_prng_cmds file also specifies a 'rate' for each program. This
represents the number of bits of randomness per byte of output from
the specified program.

The random number code will also read and save a seed file to
~/.ssh/prng_seed. This contents of this file are added to the random
number generator at startup.

This approach presents two problems:

1. It is slow.

Executing each program in the list can take a large amount of time,   
especially on slower machines. Additionally some program can take a   
disproportionate time to execute.                                     

This can be tuned by the administrator. To debug the entropy
collection is great detail, turn on full debugging ("ssh -v -v -v" or
"sshd -d -d -d"). This will list each program as it is executed, how
long it took to execute, its exit status and whether and how much data
it generated. You can the find the culprit programs which are causing
the real slow-downs.

The entropy collector will timeout programs which take too long
to execute, the actual timeout used can be adjusted with the
--with-entropy-timeout configure option. OpenSSH will not try to
re-execute programs which have not been found, have had a non-zero
exit status or have timed out more than a couple of times.

2. Estimating the real 'rate' of program outputs is non-trivial

The shear volume of the task is problematic: there are currently
around 50 commands in the ssh_prng_cmds list, portable OpenSSH
supports at least 12 different OSs. That is already 600 sets of data
to be analysed, without taking into account the numerous differences
between versions of each OS.

On top of this, the different commands can produce varying amounts of
usable data depending on how busy the machine is, how long it has been
up and various other factors.

To make matters even more complex, some of the commands are reporting
largely the same data as other commands (eg. the various "ps" calls).
Commit	Line	Data
48e7916f	1	This document contains a description of portable OpenSSH's random
	2	number collection code. An alternate reading of this text could
	3	well be titled "Why I should pressure my system vendor to supply
	4	/dev/random in their OS".
	5
	6	Why is this important? OpenSSH depends on good, unpredictable numbers
	7	for generating keys, performing digital signatures and forming
	8	cryptographic challenges. If the random numbers that it uses are
	9	predictable, then the strength of the whole system is compromised.
	10
	11	A particularly pernicious problem arises with DSA keys (used by the
	12	ssh2 protocol). Performing a DSA signature (which is required for
	13	authentication), entails the use of a 160 bit random number. If an
	14	attacker can predict this number, then they can deduce your private
	15	key and impersonate you.
	16
	17	If you are using the builtin random number support (configure will
	18	tell you if this is the case), then read this document in its entirety
	19	and consider disabling ssh2 support (by adding "Protocol 1" to
	20	sshd_config and ssh_config).
	21
	22	Please also request that your OS vendor provides a kernel-based random
	23	number collector (/dev/random) in future versions of your operating
	24	systems.
	25
	26	On to the description...
	27
	28	The portable OpenSSH contains random number collection support for
	29	systems which lack a kernel entropy pool (/dev/random).
	30
	31	This collector operates by executing the programs listed in
	32	($etcdir)/ssh_prng_cmds, reading their output and adding it to the
	33	PRNG supplied by OpenSSL (which is hash-based). It also stirs in the
	34	output of several system calls and timings from the execution of the
	35	programs that it runs.
	36
	37	The ssh_prng_cmds file also specifies a 'rate' for each program. This
	38	represents the number of bits of randomness per byte of output from
	39	the specified program.
	40
	41	The random number code will also read and save a seed file to
	42	~/.ssh/prng_seed. This contents of this file are added to the random
	43	number generator at startup.
	44
	45	This approach presents two problems:
	46
	47	1. It is slow.
	48
	49	Executing each program in the list can take a large amount of time,
	50	especially on slower machines. Additionally some program can take a
	51	disproportionate time to execute.
	52
	53	This can be tuned by the administrator. To debug the entropy
	54	collection is great detail, turn on full debugging ("ssh -v -v -v" or
	55	"sshd -d -d -d"). This will list each program as it is executed, how
	56	long it took to execute, its exit status and whether and how much data
	57	it generated. You can the find the culprit programs which are causing
	58	the real slow-downs.
	59
	60	The entropy collector will timeout programs which take too long
	61	to execute, the actual timeout used can be adjusted with the
	62	--with-entropy-timeout configure option. OpenSSH will not try to
	63	re-execute programs which have not been found, have had a non-zero
	64	exit status or have timed out more than a couple of times.
65
66	2. Estimating the real 'rate' of program outputs is non-trivial
67
68	The shear volume of the task is problematic: there are currently
69	around 50 commands in the ssh_prng_cmds list, portable OpenSSH
70	supports at least 12 different OSs. That is already 600 sets of data
71	to be analysed, without taking into account the numerous differences
72	between versions of each OS.
73
74	On top of this, the different commands can produce varying amounts of
75	usable data depending on how busy the machine is, how long it has been
76	up and various other factors.
77
78	To make matters even more complex, some of the commands are reporting
79	largely the same data as other commands (eg. the various "ps" calls).
80