1 | This document contains a description of portable OpenSSH's random |
---|
2 | number collection code. An alternate reading of this text could |
---|
3 | well be titled "Why I should pressure my system vendor to supply |
---|
4 | /dev/random in their OS". |
---|
5 | |
---|
6 | Why is this important? OpenSSH depends on good, unpredictable numbers |
---|
7 | for generating keys, performing digital signatures and forming |
---|
8 | cryptographic challenges. If the random numbers that it uses are |
---|
9 | predictable, then the strength of the whole system is compromised. |
---|
10 | |
---|
11 | A particularly pernicious problem arises with DSA keys (used by the |
---|
12 | ssh2 protocol). Performing a DSA signature (which is required for |
---|
13 | authentication), entails the use of a 160 bit random number. If an |
---|
14 | attacker can predict this number, then they can deduce your *private* |
---|
15 | key and impersonate you or your hosts. |
---|
16 | |
---|
17 | If you are using the builtin random number support (configure will |
---|
18 | tell you if this is the case), then read this document in its entirety. |
---|
19 | Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which |
---|
20 | collects random numbers and makes them available by a socket. |
---|
21 | |
---|
22 | Please also request that your OS vendor provides a kernel-based random |
---|
23 | number collector (/dev/random) in future versions of your operating |
---|
24 | systems by default. |
---|
25 | |
---|
26 | On to the description... |
---|
27 | |
---|
28 | The portable OpenSSH contains random number collection support for |
---|
29 | systems which lack a kernel entropy pool (/dev/random). |
---|
30 | |
---|
31 | This collector (as of 3.1 and beyond) comes as an external application |
---|
32 | that allows the local admin to decide on how to implement entropy |
---|
33 | collection. |
---|
34 | |
---|
35 | The default entropy collector operates by executing the programs listed |
---|
36 | in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the |
---|
37 | PRNG supplied by OpenSSL (which is hash-based). It also stirs in the |
---|
38 | output of several system calls and timings from the execution of the |
---|
39 | programs that it runs. |
---|
40 | |
---|
41 | The ssh_prng_cmds file also specifies a 'rate' for each program. This |
---|
42 | represents the number of bits of randomness per byte of output from |
---|
43 | the specified program. |
---|
44 | |
---|
45 | The random number code will also read and save a seed file to |
---|
46 | ~/.ssh/prng_seed. This contents of this file are added to the random |
---|
47 | number generator at startup. The goal here is to maintain as much |
---|
48 | randomness between sessions as possible. |
---|
49 | |
---|
50 | The default entropy collection code has two main problems: |
---|
51 | |
---|
52 | 1. It is slow. |
---|
53 | |
---|
54 | Executing each program in the list can take a large amount of time, |
---|
55 | especially on slower machines. Additionally some program can take a |
---|
56 | disproportionate time to execute. |
---|
57 | |
---|
58 | Tuning the default entropy collection code is difficult at this point. |
---|
59 | It requires doing 'times ./ssh-rand-helper' and modifying the |
---|
60 | ($etcdir)/ssh_prng_cmds until you have found the issue. In the next |
---|
61 | release we will be looking at support '-v' for verbose output to allow |
---|
62 | easier debugging. |
---|
63 | |
---|
64 | The default entropy collector will timeout programs which take too long |
---|
65 | to execute, the actual timeout used can be adjusted with the |
---|
66 | --with-entropy-timeout configure option. OpenSSH will not try to |
---|
67 | re-execute programs which have not been found, have had a non-zero |
---|
68 | exit status or have timed out more than a couple of times. |
---|
69 | |
---|
70 | 2. Estimating the real 'rate' of program outputs is non-trivial |
---|
71 | |
---|
72 | The shear volume of the task is problematic: there are currently |
---|
73 | around 50 commands in the ssh_prng_cmds list, portable OpenSSH |
---|
74 | supports at least 12 different OSs. That is already 600 sets of data |
---|
75 | to be analysed, without taking into account the numerous differences |
---|
76 | between versions of each OS. |
---|
77 | |
---|
78 | On top of this, the different commands can produce varying amounts of |
---|
79 | usable data depending on how busy the machine is, how long it has been |
---|
80 | up and various other factors. |
---|
81 | |
---|
82 | To make matters even more complex, some of the commands are reporting |
---|
83 | largely the same data as other commands (eg. the various "ps" calls). |
---|
84 | |
---|
85 | |
---|
86 | How to avoid the default entropy code? |
---|
87 | |
---|
88 | The best way is to read the OpenSSL documentation and recompile OpenSSL |
---|
89 | to use prngd or egd. Some platforms (like earily solaris) have 3rd |
---|
90 | party /dev/random devices that can be also used for this task. |
---|
91 | |
---|
92 | If you are forced to use ssh-rand-helper consider still downloading |
---|
93 | prngd/egd and configure OpenSSH using --with-prngd-port=xx or |
---|
94 | --with-prngd-socket=xx (refer to INSTALL for more information). |
---|
95 | |
---|
96 | $Id: WARNING.RNG,v 1.1.1.2 2003-02-05 19:02:41 zacheiss Exp $ |
---|