Attachment #2029 for bug #1890

Lines 50-55 Link Here

(-)openssh-5.8p1/entropy.c.entropy (+4 lines)
50	#include "pathnames.h"	50	#include "pathnames.h"
51	#include "log.h"	51	#include "log.h"
52	#include "buffer.h"	52	#include "buffer.h"
		53	#include "openbsd-compat/port-linux.h"
53		54
54	/*	55	/*
55	* Portable OpenSSH PRNG seeding:	56	* Portable OpenSSH PRNG seeding:
Lines 144-149 seed_rng(void) Link Here
144	memset(buf, '\0', sizeof(buf));	145	memset(buf, '\0', sizeof(buf));
145		146
146	#endif /* OPENSSL_PRNG_ONLY */	147	#endif /* OPENSSL_PRNG_ONLY */
		148	#ifdef __linux__
		149	linux_seed();
		150	#endif /* __linux__ */
147	if (RAND_status() != 1)	151	if (RAND_status() != 1)
148	fatal("PRNG is not seeded");	152	fatal("PRNG is not seeded");
149	}	153	}

Lines 20-26 OPENBSD=base64.o basename.o bindresvport Link Here

(-)openssh-5.8p1/openbsd-compat/Makefile.in.entropy (-1 / +1 lines)
20		20
21	COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o	21	COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22		22
23	PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o	23	PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
24		24
25	.c.o:	25	.c.o:
26	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<	26	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<

Lines 19-24 Link Here

(-)openssh-5.8p1/openbsd-compat/port-linux.h.entropy (+2 lines)
19	#ifndef _PORT_LINUX_H	19	#ifndef _PORT_LINUX_H
20	#define _PORT_LINUX_H	20	#define _PORT_LINUX_H
21		21
		22	void linux_seed(void);
		23
22	#ifdef WITH_SELINUX	24	#ifdef WITH_SELINUX
23	int ssh_selinux_enabled(void);	25	int ssh_selinux_enabled(void);
24	void ssh_selinux_setup_pty(char , const char );	26	void ssh_selinux_setup_pty(char , const char );




/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */

/*
 * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

/*
 * Linux-specific portability code - prng support
 */

#include "includes.h"

#include <errno.h>
#include <stdarg.h>
#include <string.h>
#include <stdio.h>
#include <openssl/rand.h>

#include "log.h"
#include "xmalloc.h"
#include "servconf.h"
#include "port-linux.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"

void
linux_seed(void)
{
	int len;
	char *env = getenv("SSH_USE_STRONG_RNG");
	char *random = "/dev/urandom";

	if (env && !strcmp(env, "1"))
		random = "/dev/random";

	errno = 0;
	if ((len = RAND_load_file(random, 48)) != 48) {
		if (errno)
			fatal ("cannot read from %s, %s", random, strerror(errno));
		else
			fatal ("EOF reading %s", random);
	}
}




.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
.It Ev SSH_USE_STRONG_RNG
The reseeding of the OpenSSL random generator is usually done from
.Cm /dev/urandom .
If the 
.Cm SSH_USE_STRONG_RNG
is set to
.Cm 1 ,
the OpenSSL random generator is reseeded from
.Cm /dev/random .
This setting is not recommended on the computers without the hardware
random generator. Insuifficient entropy causes the blocking conection.
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts




Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
.It Ev SSH_USE_STRONG_RNG
The reseeding of the OpenSSL random generator is usually done from
.Cm /dev/urandom .
If the 
.Cm SSH_USE_STRONG_RNG
is set to
.Cm 1 ,
the OpenSSL random generator is reseeded from
.Cm /dev/random .
This setting is not recommended on the computers without the hardware
random generator. Insuifficient entropy causes the blocking conection.
.El
.Sh FILES
.Bl -tag -width Ds




These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
.Sh ENVIRONMENT
.Bl -tag -width Ds -compact
.Pp
.It Pa SSH_USE_STRONG_RNG
The reseeding of the OpenSSL random generator is usually done from
.Cm /dev/urandom .
If the 
.Cm SSH_USE_STRONG_RNG
is set to
.Cm 1 ,
the OpenSSL random generator is reseeded from
.Cm /dev/random .
This setting is not recommended on the computers without the hardware
random generator. Insuifficient entropy causes the blocking conection.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,




started last).
The content of this file is not sensitive; it can be world-readable.
.El
.Sh ENVIRONMENT
.Bl -tag -width Ds -compact
.Pp
.It Pa SSH_USE_STRONG_RNG
The reseeding of the OpenSSL random generator is usually done from
.Cm /dev/urandom .
If the 
.Cm SSH_USE_STRONG_RNG
is set to
.Cm 1 ,
the OpenSSL random generator is reseeded from
.Cm /dev/random .
This setting is not recommended on the computers without the hardware
random generator. Insuifficient entropy causes the blocking conection.
.Sh SEE ALSO
.Xr scp 1 ,
.Xr sftp 1 ,




The file format is described in
.Xr moduli 5 .
.El
.Sh ENVIRONMENT
.Bl -tag -width Ds -compact
.Pp
.It Pa SSH_USE_STRONG_RNG
The reseeding of the OpenSSL random generator is usually done from
.Cm /dev/urandom .
If the 
.Cm SSH_USE_STRONG_RNG
is set to
.Cm 1 ,
the OpenSSL random generator is reseeded from
.Cm /dev/random .
This setting is not recommended on the computers without the hardware
random generator. Insuifficient entropy causes the blocking conection.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,




If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
.El
.Sh ENVIRONMENT
.Bl -tag -width Ds -compact
.Pp
.It Pa SSH_USE_STRONG_RNG
The reseeding of the OpenSSL random generator is usually done from
.Cm /dev/urandom .
If the 
.Cm SSH_USE_STRONG_RNG
is set to
.Cm 1 ,
the OpenSSL random generator is reseeded from
.Cm /dev/random .
This setting is not recommended on the computers without the hardware
random generator. Insuifficient entropy causes the blocking conection.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,

Return to bug 1890

Lines 1250-1255 For more information, see the Link Here

(-)openssh-5.8p1/ssh.1.entropy (+11 lines)
1250	.Cm PermitUserEnvironment	1250	.Cm PermitUserEnvironment
1251	option in	1251	option in
1252	.Xr sshd_config 5 .	1252	.Xr sshd_config 5 .
		1253	.It Ev SSH_USE_STRONG_RNG
		1254	The reseeding of the OpenSSL random generator is usually done from
		1255	.Cm /dev/urandom .
		1256	If the
		1257	.Cm SSH_USE_STRONG_RNG
		1258	is set to
		1259	.Cm 1 ,
		1260	the OpenSSL random generator is reseeded from
		1261	.Cm /dev/random .
		1262	This setting is not recommended on the computers without the hardware
		1263	random generator. Insuifficient entropy causes the blocking conection.
1253	.Sh FILES	1264	.Sh FILES
1254	.Bl -tag -width Ds -compact	1265	.Bl -tag -width Ds -compact
1255	.It Pa ~/.rhosts	1266	.It Pa ~/.rhosts

Lines 157-162 to make this work.) Link Here

(-)openssh-5.8p1/ssh-add.1.entropy (+11 lines)
157	Identifies the path of a	157	Identifies the path of a
158	.Ux Ns -domain	158	.Ux Ns -domain
159	socket used to communicate with the agent.	159	socket used to communicate with the agent.
		160	.It Ev SSH_USE_STRONG_RNG
		161	The reseeding of the OpenSSL random generator is usually done from
		162	.Cm /dev/urandom .
		163	If the
		164	.Cm SSH_USE_STRONG_RNG
		165	is set to
		166	.Cm 1 ,
		167	the OpenSSL random generator is reseeded from
		168	.Cm /dev/random .
		169	This setting is not recommended on the computers without the hardware
		170	random generator. Insuifficient entropy causes the blocking conection.
160	.El	171	.El
161	.Sh FILES	172	.Sh FILES
162	.Bl -tag -width Ds	173	.Bl -tag -width Ds

Lines 937-942 concurrently for different ports, this c Link Here

(-)openssh-5.8p1/sshd.8.entropy (+14 lines)
937	started last).	937	started last).
938	The content of this file is not sensitive; it can be world-readable.	938	The content of this file is not sensitive; it can be world-readable.
939	.El	939	.El
		940	.Sh ENVIRONMENT
		941	.Bl -tag -width Ds -compact
		942	.Pp
		943	.It Pa SSH_USE_STRONG_RNG
		944	The reseeding of the OpenSSL random generator is usually done from
		945	.Cm /dev/urandom .
		946	If the
		947	.Cm SSH_USE_STRONG_RNG
		948	is set to
		949	.Cm 1 ,
		950	the OpenSSL random generator is reseeded from
		951	.Cm /dev/random .
		952	This setting is not recommended on the computers without the hardware
		953	random generator. Insuifficient entropy causes the blocking conection.
940	.Sh SEE ALSO	954	.Sh SEE ALSO
941	.Xr scp 1 ,	955	.Xr scp 1 ,
942	.Xr sftp 1 ,	956	.Xr sftp 1 ,

Lines 655-660 Contains Diffie-Hellman groups used for Link Here

(-)openssh-5.8p1/ssh-keygen.1.entropy (+14 lines)
655	The file format is described in	655	The file format is described in
656	.Xr moduli 5 .	656	.Xr moduli 5 .
657	.El	657	.El
		658	.Sh ENVIRONMENT
		659	.Bl -tag -width Ds -compact
		660	.Pp
		661	.It Pa SSH_USE_STRONG_RNG
		662	The reseeding of the OpenSSL random generator is usually done from
		663	.Cm /dev/urandom .
		664	If the
		665	.Cm SSH_USE_STRONG_RNG
		666	is set to
		667	.Cm 1 ,
		668	the OpenSSL random generator is reseeded from
		669	.Cm /dev/random .
		670	This setting is not recommended on the computers without the hardware
		671	random generator. Insuifficient entropy causes the blocking conection.
658	.Sh SEE ALSO	672	.Sh SEE ALSO
659	.Xr ssh 1 ,	673	.Xr ssh 1 ,
660	.Xr ssh-add 1 ,	674	.Xr ssh-add 1 ,

Line 0 Link Here

(-)openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy (+56 lines)
	1	/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
	2
	3	/*
	4	* Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
	5	*
	6	* Permission to use, copy, modify, and distribute this software for any
	7	* purpose with or without fee is hereby granted, provided that the above
	8	* copyright notice and this permission notice appear in all copies.
	9	*
	10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	17	*/
	18
	19	/*
	20	* Linux-specific portability code - prng support
	21	*/
	22
	23	#include "includes.h"
	24
	25	#include <errno.h>
	26	#include <stdarg.h>
	27	#include <string.h>
	28	#include <stdio.h>
	29	#include <openssl/rand.h>
	30
	31	#include "log.h"
	32	#include "xmalloc.h"
	33	#include "servconf.h"
	34	#include "port-linux.h"
	35	#include "key.h"
	36	#include "hostfile.h"
	37	#include "auth.h"
	38
	39	void
	40	linux_seed(void)
	41	{
	42	int len;
	43	char *env = getenv("SSH_USE_STRONG_RNG");
	44	char *random = "/dev/urandom";
	45
	46	if (env && !strcmp(env, "1"))
	47	random = "/dev/random";
	48
	49	errno = 0;
	50	if ((len = RAND_load_file(random, 48)) != 48) {
	51	if (errno)
	52	fatal ("cannot read from %s, %s", random, strerror(errno));
	53	else
	54	fatal ("EOF reading %s", random);
	55	}
	56	}

Lines 198-203 sockets used to contain the connection t Link Here

(-)openssh-5.8p1/ssh-agent.1.entropy (+14 lines)
198	These sockets should only be readable by the owner.	198	These sockets should only be readable by the owner.
199	The sockets should get automatically removed when the agent exits.	199	The sockets should get automatically removed when the agent exits.
200	.El	200	.El
		201	.Sh ENVIRONMENT
		202	.Bl -tag -width Ds -compact
		203	.Pp
		204	.It Pa SSH_USE_STRONG_RNG
		205	The reseeding of the OpenSSL random generator is usually done from
		206	.Cm /dev/urandom .
		207	If the
		208	.Cm SSH_USE_STRONG_RNG
		209	is set to
		210	.Cm 1 ,
		211	the OpenSSL random generator is reseeded from
		212	.Cm /dev/random .
		213	This setting is not recommended on the computers without the hardware
		214	random generator. Insuifficient entropy causes the blocking conection.
201	.Sh SEE ALSO	215	.Sh SEE ALSO
202	.Xr ssh 1 ,	216	.Xr ssh 1 ,
203	.Xr ssh-add 1 ,	217	.Xr ssh-add 1 ,

Lines 78-83 must be set-uid root if host-based authe Link Here

(-)openssh-5.8p1/ssh-keysign.8.entropy (+14 lines)
78	If these files exist they are assumed to contain public certificate	78	If these files exist they are assumed to contain public certificate
79	information corresponding with the private keys above.	79	information corresponding with the private keys above.
80	.El	80	.El
		81	.Sh ENVIRONMENT
		82	.Bl -tag -width Ds -compact
		83	.Pp
		84	.It Pa SSH_USE_STRONG_RNG
		85	The reseeding of the OpenSSL random generator is usually done from
		86	.Cm /dev/urandom .
		87	If the
		88	.Cm SSH_USE_STRONG_RNG
		89	is set to
		90	.Cm 1 ,
		91	the OpenSSL random generator is reseeded from
		92	.Cm /dev/random .
		93	This setting is not recommended on the computers without the hardware
		94	random generator. Insuifficient entropy causes the blocking conection.
81	.Sh SEE ALSO	95	.Sh SEE ALSO
82	.Xr ssh 1 ,	96	.Xr ssh 1 ,
83	.Xr ssh-keygen 1 ,	97	.Xr ssh-keygen 1 ,