tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [6.0_BETA] cprng xxx: WARNING insufficient entropy at creation.

On Sat, Feb 25, 2012 at 11:55:40PM -0500, Thor Lancelot Simon wrote:
> Try the following patch.  Warning -- untested.  But it should do the job.

I committed a version of this and will request a pullup.  But there is
a remaining problem caused by the way sshd re-execs itself at every
connection -- this effectively drains the OpenSSL internal RNG of bits
and causes it to suck 256 bits out of /dev/urandom for each SSH

If you look at src/crypto/external/bsd/openssl/dist/rand/rand_unix.c
you can see that someone working on OpenBSD noticed this and decided
to deal with it by effectively replacing the OpenSSL RNG with arc4,
#ifdef OpenBSD.  Whoops.  I think I will not do that, so it will take me
a little longer to come up with a good fix.


Home | Main Index | Thread Index | Old Index