Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / a8e06cef35c205e1aa562513c6d034a10c8c9a6d / . / WARNING.RNG
blob: 5d4ea87530e348aec7b0047c6210fa713744fdd8 [file] [log] [blame]
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]1This document contains a description of portable OpenSSH's random
2number collection code. An alternate reading of this text could
3well be titled "Why I should pressure my system vendor to supply
4/dev/random in their OS".
5
6Why is this important? OpenSSH depends on good, unpredictable numbers
7for generating keys, performing digital signatures and forming
8cryptographic challenges. If the random numbers that it uses are
9predictable, then the strength of the whole system is compromised.
10
11A particularly pernicious problem arises with DSA keys (used by the
12ssh2 protocol). Performing a DSA signature (which is required for
13authentication), entails the use of a 160 bit random number. If an
14attacker can predict this number, then they can deduce your *private*
Damien Millerdf1b6452000-10-25 14:47:35 +1100[diff] [blame]15key and impersonate you or your hosts.
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]16
17If you are using the builtin random number support (configure will
Damien Millerdf1b6452000-10-25 14:47:35 +1100[diff] [blame]18tell you if this is the case), then read this document in its entirety.
Damien Miller0736c4d2001-01-25 10:51:46 +1100[diff] [blame]19Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which
20collects random numbers and makes them available by a socket.
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]21
22Please also request that your OS vendor provides a kernel-based random
23number collector (/dev/random) in future versions of your operating
Damien Millerdf1b6452000-10-25 14:47:35 +1100[diff] [blame]24systems by default.
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]25
26On to the description...
27
28The portable OpenSSH contains random number collection support for
29systems which lack a kernel entropy pool (/dev/random).
30
Damien Miller49411ff2002-04-14 23:16:04 +1000[diff] [blame]31This collector (as of 3.1 and beyond) comes as an external application
32that allows the local admin to decide on how to implement entropy
33collection.
34
35The default entropy collector operates by executing the programs listed
36in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]37PRNG supplied by OpenSSL (which is hash-based). It also stirs in the
38output of several system calls and timings from the execution of the
39programs that it runs.
40
41The ssh_prng_cmds file also specifies a 'rate' for each program. This
42represents the number of bits of randomness per byte of output from
43the specified program.
44
45The random number code will also read and save a seed file to
46~/.ssh/prng_seed. This contents of this file are added to the random
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame^]47number generator at startup. The goal here is to maintain as much
Damien Millerdf1b6452000-10-25 14:47:35 +1100[diff] [blame]48randomness between sessions as possible.
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]49
Damien Miller49411ff2002-04-14 23:16:04 +1000[diff] [blame]50The default entropy collection code has two main problems:
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]51
521. It is slow.
53
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame^]54Executing each program in the list can take a large amount of time,
55especially on slower machines. Additionally some program can take a
56disproportionate time to execute.
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]57
Damien Miller49411ff2002-04-14 23:16:04 +1000[diff] [blame]58Tuning the default entropy collection code is difficult at this point.
59It requires doing 'times ./ssh-rand-helper' and modifying the
60($etcdir)/ssh_prng_cmds until you have found the issue. In the next
61release we will be looking at support '-v' for verbose output to allow
62easier debugging.
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]63
Damien Miller49411ff2002-04-14 23:16:04 +1000[diff] [blame]64The default entropy collector will timeout programs which take too long
Damien Miller6f9c3372000-10-25 10:06:04 +1100[diff] [blame]65to execute, the actual timeout used can be adjusted with the
66--with-entropy-timeout configure option. OpenSSH will not try to
67re-execute programs which have not been found, have had a non-zero
68exit status or have timed out more than a couple of times.
69
702. Estimating the real 'rate' of program outputs is non-trivial
71
72The shear volume of the task is problematic: there are currently
73around 50 commands in the ssh_prng_cmds list, portable OpenSSH
74supports at least 12 different OSs. That is already 600 sets of data
75to be analysed, without taking into account the numerous differences
76between versions of each OS.
77
78On top of this, the different commands can produce varying amounts of
79usable data depending on how busy the machine is, how long it has been
80up and various other factors.
81
82To make matters even more complex, some of the commands are reporting
83largely the same data as other commands (eg. the various "ps" calls).
84
Damien Millere9cf3572001-02-09 12:55:35 +1100[diff] [blame]85
Damien Miller49411ff2002-04-14 23:16:04 +1000[diff] [blame]86How to avoid the default entropy code?
87
88The best way is to read the OpenSSL documentation and recompile OpenSSL
89to use prngd or egd. Some platforms (like earily solaris) have 3rd
90party /dev/random devices that can be also used for this task.
91
92If you are forced to use ssh-rand-helper consider still downloading
93prngd/egd and configure OpenSSH using --with-prngd-port=xx or
94--with-prngd-socket=xx (refer to INSTALL for more information).
95
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame^]96$Id: WARNING.RNG,v 1.6 2003/11/21 12:48:55 djm Exp $