- (djm) ssh-rand-helper improvements
- Add commandline debugging options
- Don't write binary data if stdout is a tty (use hex instead)
- Give it a manpage
diff --git a/ChangeLog b/ChangeLog
index 486e350..114f5d7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+20020414
+ - (djm) ssh-rand-helper improvements
+ - Add commandline debugging options
+ - Don't write binary data if stdout is a tty (use hex instead)
+ - Give it a manpage
+
20020413
- (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk>
@@ -8234,4 +8240,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.2051 2002/04/13 01:04:40 djm Exp $
+$Id: ChangeLog,v 1.2052 2002/04/14 09:27:12 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index 4e0744c..6a69779 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.202 2002/04/13 01:04:41 djm Exp $
+# $Id: Makefile.in,v 1.203 2002/04/14 09:27:13 djm Exp $
prefix=@prefix@
exec_prefix=@exec_prefix@
@@ -56,14 +56,15 @@
SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
-MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
-MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
+MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out
+MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
CONFIGFILES_IN=sshd_config ssh_config moduli
PATHSUBS = \
+ -D/etc/ssh/ssh_prng_cmds=$(sysconfdir)/ssh_prng_cmds \
-D/etc/ssh/ssh_config=$(sysconfdir)/ssh_config \
-D/etc/ssh/ssh_known_hosts=$(sysconfdir)/ssh_known_hosts \
-D/etc/ssh/sshd_config=$(sysconfdir)/sshd_config \
@@ -216,6 +217,9 @@
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
+ if [ ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \
+ $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
+ fi
@NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
@NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(bindir)/slogin
@@ -309,5 +313,6 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
diff --git a/ssh-rand-helper.8 b/ssh-rand-helper.8
new file mode 100644
index 0000000..a89185c
--- /dev/null
+++ b/ssh-rand-helper.8
@@ -0,0 +1,94 @@
+.\" $Id: ssh-rand-helper.8,v 1.1 2002/04/14 09:27:13 djm Exp $
+.\"
+.\" Copyright (c) 2002 Damien Miller. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd April 14, 2002
+.Dt SSH-RAND-HELPER 8
+.Os
+.Sh NAME
+.Nm ssh-rand-helper
+.Nd Random number gatherer for OpenSSH
+.Sh SYNOPSIS
+.Nm ssh-rand-hlper
+.Op Fl vxXh
+.Op Fl b Ar bytes
+.Sh DESCRIPTION
+.Nm
+is a small helper program used by
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr ssh-keyscan 1
+and
+.Xr sshd 8
+to gather random numbers of cryptographic quality if the
+.Xr openssl 4
+library has not been configured to provide them itself.
+.Pp
+Normally
+.Nm
+will generate a strong random seed and provide it to the calling
+program via standard output. If standard output is a tty,
+.Nm
+will instead print the seed in hexidecimal format unless told otherwise.
+.Pp
+.Nm
+will by default gather random numbers from the system commands listed
+in
+.Pa /etc/ssh/ssh_prng_cmds .
+The output of each of the commands listed will be hashed and used to
+generate a random seed for the calling program.
+.Nm
+will also store seed files in
+.Pa ~/.ssh/prng_seed
+between executions.
+.Pp
+Alternately,
+.Nm
+may be configured at build time to collect random numbers from a
+EGD/PRNGd server via a unix domain or localhost tcp socket.
+.Pp
+This program is not intended to be run by the end-user, so the few
+commandline options are for debugging purposes only.
+.Bl -tag -width Ds
+.It Fl b Ar bytes
+Specify the number of random bytes to include in the output.
+.It Fl x
+Output a hexidecimal instead of a binary seed.
+.It Fl X
+Force output of a binary seed, even if standard output is a tty
+.It Fl v
+Turn on debugging message. Multiple
+.Fl v
+options will increase the debugging level.
+.Fl h
+Display a summary of options.
+.El
+.Sh AUTHORS
+Damien Miller <djm@mindrot.org>
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c
index 07856e5..8f2283e 100644
--- a/ssh-rand-helper.c
+++ b/ssh-rand-helper.c
@@ -39,7 +39,7 @@
#include "pathnames.h"
#include "log.h"
-RCSID("$Id: ssh-rand-helper.c,v 1.5 2002/02/10 07:32:30 djm Exp $");
+RCSID("$Id: ssh-rand-helper.c,v 1.6 2002/04/14 09:27:13 djm Exp $");
/* Number of bytes we write out */
#define OUTPUT_SEED_SIZE 48
@@ -747,38 +747,88 @@
return cur_cmd < MIN_ENTROPY_SOURCES ? -1 : 0;
}
+void
+usage(void)
+{
+ fprintf(stderr, "Usage: %s [options]\n", __progname);
+ fprintf(stderr, " -v Verbose; display verbose debugging messages.\n");
+ fprintf(stderr, " Multiple -v increases verbosity.\n");
+ fprintf(stderr, " -x Force output in hexidecimal (for debugging)\n");
+ fprintf(stderr, " -X Force output in binary\n");
+ fprintf(stderr, " -b bytes Number of bytes to output (default %d)\n",
+ OUTPUT_SEED_SIZE);
+}
+
int
main(int argc, char **argv)
{
- unsigned char buf[OUTPUT_SEED_SIZE];
- int ret;
+ unsigned char *buf;
+ int ret, ch, debug_level, output_hex, bytes;
+ extern char *optarg;
+ LogLevel ll;
__progname = get_progname(argv[0]);
- /* XXX: need some debugging mode */
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
+ ll = SYSLOG_LEVEL_INFO;
+ debug_level = output_hex = 0;
+ bytes = OUTPUT_SEED_SIZE;
+
+ /* Don't write binary data to a tty, unless we are forced to */
+ if (isatty(STDOUT_FILENO))
+ output_hex = 1;
+
+ while ((ch = getopt(argc, argv, "vxXhb:")) != -1) {
+ switch (ch) {
+ case 'v':
+ if (debug_level < 3)
+ ll = SYSLOG_LEVEL_DEBUG1 + debug_level++;
+ break;
+ case 'x':
+ output_hex = 1;
+ break;
+ case 'X':
+ output_hex = 0;
+ break;
+ case 'b':
+ if ((bytes = atoi(optarg)) <= 0)
+ fatal("Invalid number of output bytes");
+ break;
+ case 'h':
+ usage();
+ exit(0);
+ default:
+ error("Invalid commandline option");
+ usage();
+ }
+ }
+
+ log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1);
+
#ifdef USE_SEED_FILES
prng_read_seedfile();
#endif
+ buf = xmalloc(bytes);
+
/*
* Seed the RNG from wherever we can
*/
/* Take whatever is on the stack, but don't credit it */
- RAND_add(buf, sizeof(buf), 0);
+ RAND_add(buf, bytes, 0);
debug("Seeded RNG with %i bytes from system calls",
(int)stir_from_system());
#ifdef PRNGD_PORT
- if (get_random_bytes_prngd(buf, sizeof(buf), PRNGD_PORT, NULL) == -1)
+ if (get_random_bytes_prngd(buf, bytes, PRNGD_PORT, NULL) == -1)
fatal("Entropy collection failed");
- RAND_add(buf, sizeof(buf), sizeof(buf));
+ RAND_add(buf, bytes, bytes);
#elif defined(PRNGD_SOCKET)
- if (get_random_bytes_prngd(buf, sizeof(buf), 0, PRNGD_SOCKET) == -1)
+ if (get_random_bytes_prngd(buf, bytes, 0, PRNGD_SOCKET) == -1)
fatal("Entropy collection failed");
- RAND_add(buf, sizeof(buf), sizeof(buf));
+ RAND_add(buf, bytes, bytes);
#else
/* Read in collection commands */
if (prng_read_commands(SSH_PRNG_COMMAND_FILE) == -1)
@@ -798,12 +848,18 @@
if (!RAND_status())
fatal("Not enough entropy in RNG");
- RAND_bytes(buf, sizeof(buf));
+ RAND_bytes(buf, bytes);
- ret = atomicio(write, STDOUT_FILENO, buf, sizeof(buf));
+ if (output_hex) {
+ for(ret = 0; ret < bytes; ret++)
+ printf("%02x", (unsigned char)(buf[ret]));
+ printf("\n");
+ } else
+ ret = atomicio(write, STDOUT_FILENO, buf, bytes);
- memset(buf, '\0', sizeof(buf));
+ memset(buf, '\0', bytes);
+ xfree(buf);
- return ret == sizeof(buf) ? 0 : 1;
+ return ret == bytes ? 0 : 1;
}