Bug 1781

Summary: Document how to use Solaris 10 /dev/random
Product: Portable OpenSSH Reporter: Chris Pepper <pepper>
Component: DocumentationAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: normal CC: djm
Priority: P2    
Version: -current   
Hardware: All   
OS: All   

Description Chris Pepper 2010-06-15 05:48:28 AEST 
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL says:

--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
support and to specify a PRNGd socket. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.

--with-prngd-port=portnum allows you to enable EGD or PRNGD support
and to specify a EGD localhost TCP port. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.


I hoped that the configure script would automatically use /dev/random, but apparently not -- it says "Random number source: OpenSSL internal ONLY".

root@thor:/# uname -a
SunOS thor 5.10 Generic_142901-08 i86pc i386 i86pc
root@thor:/# ls -l /dev/random /devices/pseudo/random@0:random
lrwxrwxrwx   1 root     root          33 Oct 21  2009 /dev/random -> ../devices/pseudo/random@0:random
crw-r--r--   1 root     sys      149,  0 Jun 10 11:27 /devices/pseudo/random@0:random


I see configure arguments for a subprocess or PRNGd, but nothing obvious to point at /dev/random (a character device). Should I just use "--with-prngd-socket=/dev/random"? 

pepper@thor:~/cvs/openssh$ ./configure --help|egrep -i '(rand|prng)'
  --with-rand-helper      Use subprocess to gather strong randomness
  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT
  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)


Perhaps the Solaris heading in README.platform should include a suggestion?
Comment 1 Damien Miller 2010-06-15 11:55:22 AEST 
If your platform supports /dev/random, and OpenSSL has been configured to use it (if OpenSSL came with your system, or you compiled it on there then it will almost certainly do so), then you can rely on its internal seeding. 

If something is wrong (e.g. OpenSSL has not been configured to seed from /dev/random) then the problem will be immediately apparent as ssh, sshd, etc will throw loud error messages and refuse to start.
Comment 2 Chris Pepper 2010-06-15 11:59:26 AEST 
That makes sense, but then INSTALL or README.paltform should mention that "OpenSSL internal ONLY" is likely to be acceptable if OpenSSL is getting randomness from /dev/random. From the current wording, I thought I needed to ensure that OpenSSH could access /dev/random directly.
Comment 3 Damien Miller 2011-01-24 12:33:44 AEDT 
Move resolved bugs to CLOSED after 5.7 release