]>
Commit | Line | Data |
---|---|---|
48e7916f | 1 | This document contains a description of portable OpenSSH's random |
2 | number collection code. An alternate reading of this text could | |
3 | well be titled "Why I should pressure my system vendor to supply | |
4 | /dev/random in their OS". | |
5 | ||
6 | Why is this important? OpenSSH depends on good, unpredictable numbers | |
7 | for generating keys, performing digital signatures and forming | |
8 | cryptographic challenges. If the random numbers that it uses are | |
9 | predictable, then the strength of the whole system is compromised. | |
10 | ||
11 | A particularly pernicious problem arises with DSA keys (used by the | |
12 | ssh2 protocol). Performing a DSA signature (which is required for | |
13 | authentication), entails the use of a 160 bit random number. If an | |
14 | attacker can predict this number, then they can deduce your *private* | |
3bdc2353 | 15 | key and impersonate you or your hosts. |
48e7916f | 16 | |
17 | If you are using the builtin random number support (configure will | |
3bdc2353 | 18 | tell you if this is the case), then read this document in its entirety. |
e1dd3a7a | 19 | Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which |
20 | collects random numbers and makes them available by a socket. | |
48e7916f | 21 | |
22 | Please also request that your OS vendor provides a kernel-based random | |
23 | number collector (/dev/random) in future versions of your operating | |
3bdc2353 | 24 | systems by default. |
48e7916f | 25 | |
26 | On to the description... | |
27 | ||
28 | The portable OpenSSH contains random number collection support for | |
29 | systems which lack a kernel entropy pool (/dev/random). | |
30 | ||
cbe5b851 | 31 | This collector (as of 3.1 and beyond) comes as an external application |
32 | that allows the local admin to decide on how to implement entropy | |
33 | collection. | |
34 | ||
35 | The default entropy collector operates by executing the programs listed | |
36 | in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the | |
48e7916f | 37 | PRNG supplied by OpenSSL (which is hash-based). It also stirs in the |
38 | output of several system calls and timings from the execution of the | |
39 | programs that it runs. | |
40 | ||
41 | The ssh_prng_cmds file also specifies a 'rate' for each program. This | |
42 | represents the number of bits of randomness per byte of output from | |
43 | the specified program. | |
44 | ||
45 | The random number code will also read and save a seed file to | |
46 | ~/.ssh/prng_seed. This contents of this file are added to the random | |
aff51935 | 47 | number generator at startup. The goal here is to maintain as much |
3bdc2353 | 48 | randomness between sessions as possible. |
48e7916f | 49 | |
cbe5b851 | 50 | The default entropy collection code has two main problems: |
48e7916f | 51 | |
52 | 1. It is slow. | |
53 | ||
aff51935 | 54 | Executing each program in the list can take a large amount of time, |
55 | especially on slower machines. Additionally some program can take a | |
56 | disproportionate time to execute. | |
48e7916f | 57 | |
23a1441b | 58 | Tuning the random helper can be done by running ./ssh-random-helper in |
59 | very verbose mode ("-vvv") and identifying the commands that are taking | |
16a8d31c | 60 | excessive amounts of time or hanging altogher. Any problem commands can |
23a1441b | 61 | be modified or removed from ssh_prng_cmds. |
48e7916f | 62 | |
cbe5b851 | 63 | The default entropy collector will timeout programs which take too long |
48e7916f | 64 | to execute, the actual timeout used can be adjusted with the |
65 | --with-entropy-timeout configure option. OpenSSH will not try to | |
66 | re-execute programs which have not been found, have had a non-zero | |
67 | exit status or have timed out more than a couple of times. | |
68 | ||
69 | 2. Estimating the real 'rate' of program outputs is non-trivial | |
70 | ||
71 | The shear volume of the task is problematic: there are currently | |
72 | around 50 commands in the ssh_prng_cmds list, portable OpenSSH | |
73 | supports at least 12 different OSs. That is already 600 sets of data | |
74 | to be analysed, without taking into account the numerous differences | |
75 | between versions of each OS. | |
76 | ||
77 | On top of this, the different commands can produce varying amounts of | |
78 | usable data depending on how busy the machine is, how long it has been | |
79 | up and various other factors. | |
80 | ||
81 | To make matters even more complex, some of the commands are reporting | |
82 | largely the same data as other commands (eg. the various "ps" calls). | |
83 | ||
0b202697 | 84 | |
cbe5b851 | 85 | How to avoid the default entropy code? |
86 | ||
87 | The best way is to read the OpenSSL documentation and recompile OpenSSL | |
88 | to use prngd or egd. Some platforms (like earily solaris) have 3rd | |
89 | party /dev/random devices that can be also used for this task. | |
90 | ||
91 | If you are forced to use ssh-rand-helper consider still downloading | |
92 | prngd/egd and configure OpenSSH using --with-prngd-port=xx or | |
93 | --with-prngd-socket=xx (refer to INSTALL for more information). | |
94 | ||
95 | $Id$ |