Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 1 | This document contains a description of portable OpenSSH's random |
| 2 | number collection code. An alternate reading of this text could |
| 3 | well be titled "Why I should pressure my system vendor to supply |
| 4 | /dev/random in their OS". |
| 5 | |
| 6 | Why is this important? OpenSSH depends on good, unpredictable numbers |
| 7 | for generating keys, performing digital signatures and forming |
| 8 | cryptographic challenges. If the random numbers that it uses are |
| 9 | predictable, then the strength of the whole system is compromised. |
| 10 | |
| 11 | A particularly pernicious problem arises with DSA keys (used by the |
| 12 | ssh2 protocol). Performing a DSA signature (which is required for |
| 13 | authentication), entails the use of a 160 bit random number. If an |
| 14 | attacker can predict this number, then they can deduce your *private* |
Damien Miller | df1b645 | 2000-10-25 14:47:35 +1100 | [diff] [blame] | 15 | key and impersonate you or your hosts. |
Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 16 | |
| 17 | If you are using the builtin random number support (configure will |
Damien Miller | df1b645 | 2000-10-25 14:47:35 +1100 | [diff] [blame] | 18 | tell you if this is the case), then read this document in its entirety. |
Damien Miller | 0736c4d | 2001-01-25 10:51:46 +1100 | [diff] [blame] | 19 | Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which |
| 20 | collects random numbers and makes them available by a socket. |
Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 21 | |
| 22 | Please also request that your OS vendor provides a kernel-based random |
| 23 | number collector (/dev/random) in future versions of your operating |
Damien Miller | df1b645 | 2000-10-25 14:47:35 +1100 | [diff] [blame] | 24 | systems by default. |
Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 25 | |
| 26 | On to the description... |
| 27 | |
| 28 | The portable OpenSSH contains random number collection support for |
| 29 | systems which lack a kernel entropy pool (/dev/random). |
| 30 | |
Damien Miller | 49411ff | 2002-04-14 23:16:04 +1000 | [diff] [blame] | 31 | This collector (as of 3.1 and beyond) comes as an external application |
| 32 | that allows the local admin to decide on how to implement entropy |
| 33 | collection. |
| 34 | |
| 35 | The default entropy collector operates by executing the programs listed |
| 36 | in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the |
Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 37 | PRNG supplied by OpenSSL (which is hash-based). It also stirs in the |
| 38 | output of several system calls and timings from the execution of the |
| 39 | programs that it runs. |
| 40 | |
| 41 | The ssh_prng_cmds file also specifies a 'rate' for each program. This |
| 42 | represents the number of bits of randomness per byte of output from |
| 43 | the specified program. |
| 44 | |
| 45 | The random number code will also read and save a seed file to |
| 46 | ~/.ssh/prng_seed. This contents of this file are added to the random |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 47 | number generator at startup. The goal here is to maintain as much |
Damien Miller | df1b645 | 2000-10-25 14:47:35 +1100 | [diff] [blame] | 48 | randomness between sessions as possible. |
Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 49 | |
Damien Miller | 49411ff | 2002-04-14 23:16:04 +1000 | [diff] [blame] | 50 | The default entropy collection code has two main problems: |
Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 51 | |
| 52 | 1. It is slow. |
| 53 | |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 54 | Executing each program in the list can take a large amount of time, |
| 55 | especially on slower machines. Additionally some program can take a |
| 56 | disproportionate time to execute. |
Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 57 | |
Darren Tucker | ba2abb3 | 2004-12-06 22:40:10 +1100 | [diff] [blame] | 58 | Tuning the random helper can be done by running ./ssh-random-helper in |
| 59 | very verbose mode ("-vvv") and identifying the commands that are taking |
| 60 | accessive amounts of time or hanging altogher. Any problem commands can |
| 61 | be modified or removed from ssh_prng_cmds. |
Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 62 | |
Damien Miller | 49411ff | 2002-04-14 23:16:04 +1000 | [diff] [blame] | 63 | The default entropy collector will timeout programs which take too long |
Damien Miller | 6f9c337 | 2000-10-25 10:06:04 +1100 | [diff] [blame] | 64 | to execute, the actual timeout used can be adjusted with the |
| 65 | --with-entropy-timeout configure option. OpenSSH will not try to |
| 66 | re-execute programs which have not been found, have had a non-zero |
| 67 | exit status or have timed out more than a couple of times. |
| 68 | |
| 69 | 2. Estimating the real 'rate' of program outputs is non-trivial |
| 70 | |
| 71 | The shear volume of the task is problematic: there are currently |
| 72 | around 50 commands in the ssh_prng_cmds list, portable OpenSSH |
| 73 | supports at least 12 different OSs. That is already 600 sets of data |
| 74 | to be analysed, without taking into account the numerous differences |
| 75 | between versions of each OS. |
| 76 | |
| 77 | On top of this, the different commands can produce varying amounts of |
| 78 | usable data depending on how busy the machine is, how long it has been |
| 79 | up and various other factors. |
| 80 | |
| 81 | To make matters even more complex, some of the commands are reporting |
| 82 | largely the same data as other commands (eg. the various "ps" calls). |
| 83 | |
Damien Miller | e9cf357 | 2001-02-09 12:55:35 +1100 | [diff] [blame] | 84 | |
Damien Miller | 49411ff | 2002-04-14 23:16:04 +1000 | [diff] [blame] | 85 | How to avoid the default entropy code? |
| 86 | |
| 87 | The best way is to read the OpenSSL documentation and recompile OpenSSL |
| 88 | to use prngd or egd. Some platforms (like earily solaris) have 3rd |
| 89 | party /dev/random devices that can be also used for this task. |
| 90 | |
| 91 | If you are forced to use ssh-rand-helper consider still downloading |
| 92 | prngd/egd and configure OpenSSH using --with-prngd-port=xx or |
| 93 | --with-prngd-socket=xx (refer to INSTALL for more information). |
| 94 | |
Darren Tucker | ba2abb3 | 2004-12-06 22:40:10 +1100 | [diff] [blame] | 95 | $Id: WARNING.RNG,v 1.7 2004/12/06 11:40:11 dtucker Exp $ |