| This document contains a description of portable OpenSSH's random |
| number collection code. An alternate reading of this text could |
| well be titled "Why I should pressure my system vendor to supply |
| /dev/random in their OS". |
| |
| Why is this important? OpenSSH depends on good, unpredictable numbers |
| for generating keys, performing digital signatures and forming |
| cryptographic challenges. If the random numbers that it uses are |
| predictable, then the strength of the whole system is compromised. |
| |
| A particularly pernicious problem arises with DSA keys (used by the |
| ssh2 protocol). Performing a DSA signature (which is required for |
| authentication), entails the use of a 160 bit random number. If an |
| attacker can predict this number, then they can deduce your *private* |
| key and impersonate you or your hosts. |
| |
| If you are using the builtin random number support (configure will |
| tell you if this is the case), then read this document in its entirety. |
| Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which |
| collects random numbers and makes them available by a socket. |
| |
| Please also request that your OS vendor provides a kernel-based random |
| number collector (/dev/random) in future versions of your operating |
| systems by default. |
| |
| On to the description... |
| |
| The portable OpenSSH contains random number collection support for |
| systems which lack a kernel entropy pool (/dev/random). |
| |
| This collector (as of 3.1 and beyond) comes as an external application |
| that allows the local admin to decide on how to implement entropy |
| collection. |
| |
| The default entropy collector operates by executing the programs listed |
| in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the |
| PRNG supplied by OpenSSL (which is hash-based). It also stirs in the |
| output of several system calls and timings from the execution of the |
| programs that it runs. |
| |
| The ssh_prng_cmds file also specifies a 'rate' for each program. This |
| represents the number of bits of randomness per byte of output from |
| the specified program. |
| |
| The random number code will also read and save a seed file to |
| ~/.ssh/prng_seed. This contents of this file are added to the random |
| number generator at startup. The goal here is to maintain as much |
| randomness between sessions as possible. |
| |
| The default entropy collection code has two main problems: |
| |
| 1. It is slow. |
| |
| Executing each program in the list can take a large amount of time, |
| especially on slower machines. Additionally some program can take a |
| disproportionate time to execute. |
| |
| Tuning the default entropy collection code is difficult at this point. |
| It requires doing 'times ./ssh-rand-helper' and modifying the |
| ($etcdir)/ssh_prng_cmds until you have found the issue. In the next |
| release we will be looking at support '-v' for verbose output to allow |
| easier debugging. |
| |
| The default entropy collector will timeout programs which take too long |
| to execute, the actual timeout used can be adjusted with the |
| --with-entropy-timeout configure option. OpenSSH will not try to |
| re-execute programs which have not been found, have had a non-zero |
| exit status or have timed out more than a couple of times. |
| |
| 2. Estimating the real 'rate' of program outputs is non-trivial |
| |
| The shear volume of the task is problematic: there are currently |
| around 50 commands in the ssh_prng_cmds list, portable OpenSSH |
| supports at least 12 different OSs. That is already 600 sets of data |
| to be analysed, without taking into account the numerous differences |
| between versions of each OS. |
| |
| On top of this, the different commands can produce varying amounts of |
| usable data depending on how busy the machine is, how long it has been |
| up and various other factors. |
| |
| To make matters even more complex, some of the commands are reporting |
| largely the same data as other commands (eg. the various "ps" calls). |
| |
| |
| How to avoid the default entropy code? |
| |
| The best way is to read the OpenSSL documentation and recompile OpenSSL |
| to use prngd or egd. Some platforms (like earily solaris) have 3rd |
| party /dev/random devices that can be also used for this task. |
| |
| If you are forced to use ssh-rand-helper consider still downloading |
| prngd/egd and configure OpenSSH using --with-prngd-port=xx or |
| --with-prngd-socket=xx (refer to INSTALL for more information). |
| |
| $Id: WARNING.RNG,v 1.5 2002/04/14 13:16:05 djm Exp $ |