Attachment #4 for bug #13

View | Details | Raw Unified | Return to bug 13
Collapse All | Expand All




It is possible to have
multiple identity files specified in configuration files; all these
identities will be tried in sequence.
.It Cm InitPrngFromSeedFile
Specifies whether the random seed file may be the primary source of
randomness for the pseudo-random number generator on systems that don't
have a good fast source of randomness such as /dev/random.  This enables
faster startup on such systems after the first time when the seed file
is generated in
.Pa $HOME/.ssh/prng_seed 
by running many external programs.  If this option is 
.Dq no ,
.Nm ssh
runs the external programs every time it starts.
NOTE: if the seed file is stored on a network filesystem that does not
use encryption, the seed may be vulnerable to someone listening on the
network which could make it easier to guess what random keys 
.Nm ssh
might choose to encrypt sessions.
This option is ignored on systems that do have a good fast source of
randomness.
The argument must be
.Dq yes
or
.Dq no .
The default is
.Dq no .
.It Cm KeepAlive
Specifies whether the system should send keepalive messages to the
other side.

Lines 80-85 Link Here

(-)readconf.h.O (+2 lines)
80	char proxy_command; / Proxy command for connecting the host. */	80	char proxy_command; / Proxy command for connecting the host. */
81	char user; / User to log in as. */	81	char user; / User to log in as. */
82	int escape_char; /* Escape character; -2 = none */	82	int escape_char; /* Escape character; -2 = none */
		83	int init_prng_from_seed_file; /* If seed file exists don't use */
		84	/* external programs to initialize entropy */
83		85
84	char system_hostfile;/ Path for /etc/ssh_known_hosts. */	86	char system_hostfile;/ Path for /etc/ssh_known_hosts. */
85	char user_hostfile; / Path for $HOME/.ssh/known_hosts. */	87	char user_hostfile; / Path for $HOME/.ssh/known_hosts. */




	oAFSTokenPassing,
#endif
	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
	oUser, oHost, oEscapeChar, oInitPrngFromSeedFile,
	oRhostsRSAAuthentication, oProxyCommand,
	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,

	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
	oClearAllForwardings, oNoHostAuthenticationForLocalhost
} OpCodes;

/* Textual representations of the tokens. */

	{ "user", oUser },
	{ "host", oHost },
	{ "escapechar", oEscapeChar },
	{ "initprngfromseedfile", oInitPrngFromSeedFile }, 
	{ "globalknownhostsfile", oGlobalKnownHostsFile },
	{ "userknownhostsfile", oUserKnownHostsFile },		/* obsolete */
	{ "globalknownhostsfile2", oGlobalKnownHostsFile2 },

			*intptr = value;
		break;

	case oInitPrngFromSeedFile:
		intptr = &options->init_prng_from_seed_file;
		goto parse_flag;

	default:
		fatal("process_config_line: Unimplemented opcode %d", opcode);
	}

	options->proxy_command = NULL;
	options->user = NULL;
	options->escape_char = -1;
	options->init_prng_from_seed_file = -1;
	options->system_hostfile = NULL;
	options->user_hostfile = NULL;
	options->system_hostfile2 = NULL;

	}
	if (options->escape_char == -1)
		options->escape_char = '~';
	if (options->init_prng_from_seed_file == -1)
		options->init_prng_from_seed_file = 0;
	if (options->init_prng_from_seed_file == 1) {
		extern int init_prng_from_seed_file;
		init_prng_from_seed_file = 1;
	}
	if (options->system_hostfile == NULL)
		options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
	if (options->user_hostfile == NULL)

Lines 68-73 Link Here

(-)entropy.c.O (-44 / +59 lines)
68	# define SAVED_IDS_WORK_WITH_SETEUID	68	# define SAVED_IDS_WORK_WITH_SETEUID
69	#endif	69	#endif
70		70
		71	/* if set and seed file exists, builtin entropy generator skips */
		72	/* running lots of slow programs to collect initial entropy */
		73	int init_prng_from_seed_file = 0;
		74
71	static void	75	static void
72	check_openssl_version(void)	76	check_openssl_version(void)
73	{	77	{
Lines 229-240 Link Here
229	memset(buf, '\0', sizeof(buf));	233	memset(buf, '\0', sizeof(buf));
230	}	234	}
231		235
232	void
233	init_rng(void)
234	{
235	check_openssl_version();
236	}
237
238	#else /* defined(USE_PRNGD) \|\| defined(RANDOM_POOL) */	236	#else /* defined(USE_PRNGD) \|\| defined(RANDOM_POOL) */
239		237
240	/*	238	/*
Lines 651-657 Link Here
651	}	649	}
652	}	650	}
653		651
654	void	652	int
655	prng_read_seedfile(void) {	653	prng_read_seedfile(void) {
656	int fd;	654	int fd;
657	char seed[1024];	655	char seed[1024];
Lines 669-676 Link Here
669	debug("loading PRNG seed from file %.100s", filename);	667	debug("loading PRNG seed from file %.100s", filename);
670		668
671	if (!prng_check_seedfile(filename)) {	669	if (!prng_check_seedfile(filename)) {
672	verbose("Random seed file not found or not valid, ignoring.");	670	return 0;
673	return;
674	}	671	}
675		672
676	/* open the file and read in the seed */	673	/* open the file and read in the seed */
Lines 686-693 Link Here
686	}	683	}
687	close(fd);	684	close(fd);
688		685
689	/* stir in the seed, with estimated entropy zero */	686	/* stir in the seed, using a large number for the estimated entropy */
690	RAND_add(&seed, sizeof(seed), 0.0);	687	/* because a lot of entropy went into the generating the file; not */
		688	/* this much, but the number isn't critical if it's over the minimum */
		689	RAND_add(&seed, sizeof(seed), (double) sizeof(seed));
		690
		691	return 1;
691	}	692	}
692		693
693		694
Lines 839-880 Link Here
839	seed_rng(void)	840	seed_rng(void)
840	{	841	{
841	mysig_t old_sigchld_handler;	842	mysig_t old_sigchld_handler;
842
843	if (!prng_initialised)
844	fatal("RNG not initialised");
845
846	/* Make sure some other sigchld handler doesn't reap our entropy */
847	/* commands */
848	old_sigchld_handler = mysignal(SIGCHLD, SIG_DFL);
849
850	debug("Seeded RNG with %i bytes from programs",
851	(int)stir_from_programs());
852	debug("Seeded RNG with %i bytes from system calls",
853	(int)stir_from_system());
854
855	if (!RAND_status())
856	fatal("Not enough entropy in RNG");
857
858	mysignal(SIGCHLD, old_sigchld_handler);
859
860	if (!RAND_status())
861	fatal("Couldn't initialise builtin random number generator -- exiting.");
862	}
863
864	void
865	init_rng(void)
866	{
867	int original_euid;	843	int original_euid;
868		844	int seed_file_read;
869	check_openssl_version();
870		845
871	original_uid = getuid();	846	original_uid = getuid();
872	original_euid = geteuid();	847	original_euid = geteuid();
873		848
874	/* Read in collection commands */
875	if (!prng_read_commands(SSH_PRNG_COMMAND_FILE))
876	fatal("PRNG initialisation failed -- exiting.");
877
878	/* Set ourselves up to save a seed upon exit */	849	/* Set ourselves up to save a seed upon exit */
879	prng_seed_saved = 0;	850	prng_seed_saved = 0;
880		851
Lines 892-898 Link Here
892	fatal("Couldn't give up privileges");	863	fatal("Couldn't give up privileges");
893	#endif /* SAVED_IDS_WORK_WITH_SETEUID */	864	#endif /* SAVED_IDS_WORK_WITH_SETEUID */
894		865
895	prng_read_seedfile();	866	seed_file_read = prng_read_seedfile();
896		867
897	#ifdef SAVED_IDS_WORK_WITH_SETEUID	868	#ifdef SAVED_IDS_WORK_WITH_SETEUID
898	if ((original_uid != original_euid) && (seteuid(original_euid) == -1))	869	if ((original_uid != original_euid) && (seteuid(original_euid) == -1))
Lines 911-917 Link Here
911	fatal_add_cleanup(prng_seed_cleanup, NULL);	882	fatal_add_cleanup(prng_seed_cleanup, NULL);
912	atexit(prng_write_seedfile);	883	atexit(prng_write_seedfile);
913		884
914	prng_initialised = 1;	885	if (init_prng_from_seed_file) {
		886	if (!seed_file_read) {
		887	log("Random seed file not found or not valid, collecting random data...");
		888	/* Read in collection commands */
		889	if (!prng_read_commands(SSH_PRNG_COMMAND_FILE))
		890	fatal("PRNG initialisation failed -- exiting.");
		891	}
		892	} else {
		893	if (!seed_file_read) {
		894	verbose("Random seed file not found or not valid, ignoring.");
		895	}
		896	/* Read in collection commands */
		897	if (!prng_read_commands(SSH_PRNG_COMMAND_FILE))
		898	fatal("PRNG initialisation failed -- exiting.");
		899	}
		900
		901	/* Make sure some other sigchld handler doesn't reap our entropy */
		902	/* commands */
		903	old_sigchld_handler = mysignal(SIGCHLD, SIG_DFL);
		904
		905	if (entropy_sources != NULL) {
		906	debug("Seeded RNG with %i bytes from programs",
		907	(int)stir_from_programs());
		908	}
		909	debug("Seeded RNG with %i bytes from system calls",
		910	(int)stir_from_system());
		911
		912	if (!RAND_status())
		913	fatal("Not enough entropy in RNG");
		914
		915	mysignal(SIGCHLD, old_sigchld_handler);
		916
		917	if (!RAND_status())
		918	fatal("Couldn't initialise builtin random number generator -- exiting.");
915	}	919	}
916		920
		921
917	#endif /* defined(USE_PRNGD) \|\| defined(RANDOM_POOL) */	922	#endif /* defined(USE_PRNGD) \|\| defined(RANDOM_POOL) */
		923
		924	/* note that init_rng is often called before processing options */
		925	/* and as a result debug messages do not get printed, so put off */
		926	/* most initialization until seed_rng */
		927
		928	void
		929	init_rng(void)
		930	{
		931	check_openssl_version();
		932	}




re-execute programs which have not been found, have had a non-zero
exit status or have timed out more than a couple of times.

There is an ssh client option called InitPrngFromSeedFile which if
enabled will skip running the many slow programs once a seed file is
originally generated.  However, if the seed file is stored on a network
filesystem that does not encrypt the network traffic, there is a risk
that someone listening on the network could discover the contents of the
seed file and from there guess the random numbers that ssh will choose
to encrypt its traffic.  This is particularly an issue if the network 
filesystem has secure authentication such as Kerberos, because if it
does not have secure authentication it could be easily broken into anyway
and using ssh won't improve the situation.

2. Estimating the real 'rate' of program outputs is non-trivial

The shear volume of the task is problematic: there are currently

Return to bug 13

Lines 926-931 Link Here

(-)ssh.1.O (+24 lines)
926	It is possible to have	926	It is possible to have
927	multiple identity files specified in configuration files; all these	927	multiple identity files specified in configuration files; all these
928	identities will be tried in sequence.	928	identities will be tried in sequence.
		929	.It Cm InitPrngFromSeedFile
		930	Specifies whether the random seed file may be the primary source of
		931	randomness for the pseudo-random number generator on systems that don't
		932	have a good fast source of randomness such as /dev/random. This enables
		933	faster startup on such systems after the first time when the seed file
		934	is generated in
		935	.Pa $HOME/.ssh/prng_seed
		936	by running many external programs. If this option is
		937	.Dq no ,
		938	.Nm ssh
		939	runs the external programs every time it starts.
		940	NOTE: if the seed file is stored on a network filesystem that does not
		941	use encryption, the seed may be vulnerable to someone listening on the
		942	network which could make it easier to guess what random keys
		943	.Nm ssh
		944	might choose to encrypt sessions.
		945	This option is ignored on systems that do have a good fast source of
		946	randomness.
		947	The argument must be
		948	.Dq yes
		949	or
		950	.Dq no .
		951	The default is
		952	.Dq no .
929	.It Cm KeepAlive	953	.It Cm KeepAlive
930	Specifies whether the system should send keepalive messages to the	954	Specifies whether the system should send keepalive messages to the
931	other side.	955	other side.

Lines 106-112 Link Here

(-)readconf.c.O (-2 / +15 lines)
106	oAFSTokenPassing,	106	oAFSTokenPassing,
107	#endif	107	#endif
108	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,	108	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
109	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,	109	oUser, oHost, oEscapeChar, oInitPrngFromSeedFile,
		110	oRhostsRSAAuthentication, oProxyCommand,
110	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,	111	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
111	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,	112	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
112	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,	113	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
Lines 115-121 Link Here
115	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,	116	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
116	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,	117	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
117	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,	118	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
118	oClearAllForwardings, oNoHostAuthenticationForLocalhost	119	oClearAllForwardings, oNoHostAuthenticationForLocalhost
119	} OpCodes;	120	} OpCodes;
120		121
121	/* Textual representations of the tokens. */	122	/* Textual representations of the tokens. */
Lines 167-172 Link Here
167	{ "user", oUser },	168	{ "user", oUser },
168	{ "host", oHost },	169	{ "host", oHost },
169	{ "escapechar", oEscapeChar },	170	{ "escapechar", oEscapeChar },
		171	{ "initprngfromseedfile", oInitPrngFromSeedFile },
170	{ "globalknownhostsfile", oGlobalKnownHostsFile },	172	{ "globalknownhostsfile", oGlobalKnownHostsFile },
171	{ "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */	173	{ "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
172	{ "globalknownhostsfile2", oGlobalKnownHostsFile2 },	174	{ "globalknownhostsfile2", oGlobalKnownHostsFile2 },
Lines 678-683 Link Here
678	*intptr = value;	680	*intptr = value;
679	break;	681	break;
680		682
		683	case oInitPrngFromSeedFile:
		684	intptr = &options->init_prng_from_seed_file;
		685	goto parse_flag;
		686
681	default:	687	default:
682	fatal("process_config_line: Unimplemented opcode %d", opcode);	688	fatal("process_config_line: Unimplemented opcode %d", opcode);
683	}	689	}
Lines 787-792 Link Here
787	options->proxy_command = NULL;	793	options->proxy_command = NULL;
788	options->user = NULL;	794	options->user = NULL;
789	options->escape_char = -1;	795	options->escape_char = -1;
		796	options->init_prng_from_seed_file = -1;
790	options->system_hostfile = NULL;	797	options->system_hostfile = NULL;
791	options->user_hostfile = NULL;	798	options->user_hostfile = NULL;
792	options->system_hostfile2 = NULL;	799	options->system_hostfile2 = NULL;
Lines 905-910 Link Here
905	}	912	}
906	if (options->escape_char == -1)	913	if (options->escape_char == -1)
907	options->escape_char = '~';	914	options->escape_char = '~';
		915	if (options->init_prng_from_seed_file == -1)
		916	options->init_prng_from_seed_file = 0;
		917	if (options->init_prng_from_seed_file == 1) {
		918	extern int init_prng_from_seed_file;
		919	init_prng_from_seed_file = 1;
		920	}
908	if (options->system_hostfile == NULL)	921	if (options->system_hostfile == NULL)
909	options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;	922	options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
910	if (options->user_hostfile == NULL)	923	if (options->user_hostfile == NULL)

Lines 64-69 Link Here

(-)WARNING.RNG.O (+11 lines)
64	re-execute programs which have not been found, have had a non-zero	64	re-execute programs which have not been found, have had a non-zero
65	exit status or have timed out more than a couple of times.	65	exit status or have timed out more than a couple of times.
66		66
		67	There is an ssh client option called InitPrngFromSeedFile which if
		68	enabled will skip running the many slow programs once a seed file is
		69	originally generated. However, if the seed file is stored on a network
		70	filesystem that does not encrypt the network traffic, there is a risk
		71	that someone listening on the network could discover the contents of the
		72	seed file and from there guess the random numbers that ssh will choose
		73	to encrypt its traffic. This is particularly an issue if the network
		74	filesystem has secure authentication such as Kerberos, because if it
		75	does not have secure authentication it could be easily broken into anyway
		76	and using ssh won't improve the situation.
		77
67	2. Estimating the real 'rate' of program outputs is non-trivial	78	2. Estimating the real 'rate' of program outputs is non-trivial
68		79
69	The shear volume of the task is problematic: there are currently	80	The shear volume of the task is problematic: there are currently