1781 – Document how to use Solaris 10 /dev/random

Bug 1781 - Document how to use Solaris 10 /dev/random

Summary: Document how to use Solaris 10 /dev/random

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Documentation (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-06-15 05:48 AEST by Chris Pepper
Modified:	2011-01-24 12:33 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Pepper 2010-06-15 05:48:28 AEST

http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL says:

--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
support and to specify a PRNGd socket. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.

--with-prngd-port=portnum allows you to enable EGD or PRNGD support
and to specify a EGD localhost TCP port. Use this if your Unix lacks
/dev/random and you don't want to use OpenSSH's builtin entropy
collection support.


I hoped that the configure script would automatically use /dev/random, but apparently not -- it says "Random number source: OpenSSL internal ONLY".

root@thor:/# uname -a
SunOS thor 5.10 Generic_142901-08 i86pc i386 i86pc
root@thor:/# ls -l /dev/random /devices/pseudo/random@0:random
lrwxrwxrwx   1 root     root          33 Oct 21  2009 /dev/random -> ../devices/pseudo/random@0:random
crw-r--r--   1 root     sys      149,  0 Jun 10 11:27 /devices/pseudo/random@0:random


I see configure arguments for a subprocess or PRNGd, but nothing obvious to point at /dev/random (a character device). Should I just use "--with-prngd-socket=/dev/random"? 

pepper@thor:~/cvs/openssh$ ./configure --help|egrep -i '(rand|prng)'
  --with-rand-helper      Use subprocess to gather strong randomness
  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT
  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)


Perhaps the Solaris heading in README.platform should include a suggestion?

Comment 1 Damien Miller 2010-06-15 11:55:22 AEST

If your platform supports /dev/random, and OpenSSL has been configured to use it (if OpenSSL came with your system, or you compiled it on there then it will almost certainly do so), then you can rely on its internal seeding. 

If something is wrong (e.g. OpenSSL has not been configured to seed from /dev/random) then the problem will be immediately apparent as ssh, sshd, etc will throw loud error messages and refuse to start.

Comment 2 Chris Pepper 2010-06-15 11:59:26 AEST

That makes sense, but then INSTALL or README.paltform should mention that "OpenSSL internal ONLY" is likely to be acceptable if OpenSSL is getting randomness from /dev/random. From the current wording, I thought I needed to ensure that OpenSSH could access /dev/random directly.

Comment 3 Damien Miller 2011-01-24 12:33:44 AEDT

Move resolved bugs to CLOSED after 5.7 release