1*7c478bd9Sstevel@tonic-gateThis document contains a description of portable OpenSSH's random 2*7c478bd9Sstevel@tonic-gatenumber collection code. An alternate reading of this text could 3*7c478bd9Sstevel@tonic-gatewell be titled "Why I should pressure my system vendor to supply 4*7c478bd9Sstevel@tonic-gate/dev/random in their OS". 5*7c478bd9Sstevel@tonic-gate 6*7c478bd9Sstevel@tonic-gateWhy is this important? OpenSSH depends on good, unpredictable numbers 7*7c478bd9Sstevel@tonic-gatefor generating keys, performing digital signatures and forming 8*7c478bd9Sstevel@tonic-gatecryptographic challenges. If the random numbers that it uses are 9*7c478bd9Sstevel@tonic-gatepredictable, then the strength of the whole system is compromised. 10*7c478bd9Sstevel@tonic-gate 11*7c478bd9Sstevel@tonic-gateA particularly pernicious problem arises with DSA keys (used by the 12*7c478bd9Sstevel@tonic-gatessh2 protocol). Performing a DSA signature (which is required for 13*7c478bd9Sstevel@tonic-gateauthentication), entails the use of a 160 bit random number. If an 14*7c478bd9Sstevel@tonic-gateattacker can predict this number, then they can deduce your *private* 15*7c478bd9Sstevel@tonic-gatekey and impersonate you or your hosts. 16*7c478bd9Sstevel@tonic-gate 17*7c478bd9Sstevel@tonic-gateIf you are using the builtin random number support (configure will 18*7c478bd9Sstevel@tonic-gatetell you if this is the case), then read this document in its entirety. 19*7c478bd9Sstevel@tonic-gate 20*7c478bd9Sstevel@tonic-gatePlease also request that your OS vendor provides a kernel-based random 21*7c478bd9Sstevel@tonic-gatenumber collector (/dev/random) in future versions of your operating 22*7c478bd9Sstevel@tonic-gatesystems by default. 23*7c478bd9Sstevel@tonic-gate 24*7c478bd9Sstevel@tonic-gateOn to the description... 25*7c478bd9Sstevel@tonic-gate 26*7c478bd9Sstevel@tonic-gateThe portable OpenSSH contains random number collection support for 27*7c478bd9Sstevel@tonic-gatesystems which lack a kernel entropy pool (/dev/random). 28*7c478bd9Sstevel@tonic-gate 29*7c478bd9Sstevel@tonic-gateThis collector operates by executing the programs listed in 30*7c478bd9Sstevel@tonic-gate($etcdir)/ssh_prng_cmds, reading their output and adding it to the 31*7c478bd9Sstevel@tonic-gatePRNG supplied by OpenSSL (which is hash-based). It also stirs in the 32*7c478bd9Sstevel@tonic-gateoutput of several system calls and timings from the execution of the 33*7c478bd9Sstevel@tonic-gateprograms that it runs. 34*7c478bd9Sstevel@tonic-gate 35*7c478bd9Sstevel@tonic-gateThe ssh_prng_cmds file also specifies a 'rate' for each program. This 36*7c478bd9Sstevel@tonic-gaterepresents the number of bits of randomness per byte of output from 37*7c478bd9Sstevel@tonic-gatethe specified program. 38*7c478bd9Sstevel@tonic-gate 39*7c478bd9Sstevel@tonic-gateThe random number code will also read and save a seed file to 40*7c478bd9Sstevel@tonic-gate~/.ssh/prng_seed. This contents of this file are added to the random 41*7c478bd9Sstevel@tonic-gatenumber generator at startup. The goal here is to maintain as much 42*7c478bd9Sstevel@tonic-gaterandomness between sessions as possible. 43*7c478bd9Sstevel@tonic-gate 44*7c478bd9Sstevel@tonic-gateThe entropy collection code has two main problems: 45*7c478bd9Sstevel@tonic-gate 46*7c478bd9Sstevel@tonic-gate1. It is slow. 47*7c478bd9Sstevel@tonic-gate 48*7c478bd9Sstevel@tonic-gateExecuting each program in the list can take a large amount of time, 49*7c478bd9Sstevel@tonic-gateespecially on slower machines. Additionally some program can take a 50*7c478bd9Sstevel@tonic-gatedisproportionate time to execute. 51*7c478bd9Sstevel@tonic-gate 52*7c478bd9Sstevel@tonic-gateThis can be tuned by the administrator. To debug the entropy 53*7c478bd9Sstevel@tonic-gatecollection is great detail, turn on full debugging ("ssh -v -v -v" or 54*7c478bd9Sstevel@tonic-gate"sshd -d -d -d"). This will list each program as it is executed, how 55*7c478bd9Sstevel@tonic-gatelong it took to execute, its exit status and whether and how much data 56*7c478bd9Sstevel@tonic-gateit generated. You can the find the culprit programs which are causing 57*7c478bd9Sstevel@tonic-gatethe real slow-downs. 58*7c478bd9Sstevel@tonic-gate 59*7c478bd9Sstevel@tonic-gateThe entropy collector will timeout programs which take too long 60*7c478bd9Sstevel@tonic-gateto execute, the actual timeout used can be adjusted with the 61*7c478bd9Sstevel@tonic-gate--with-entropy-timeout configure option. OpenSSH will not try to 62*7c478bd9Sstevel@tonic-gatere-execute programs which have not been found, have had a non-zero 63*7c478bd9Sstevel@tonic-gateexit status or have timed out more than a couple of times. 64*7c478bd9Sstevel@tonic-gate 65*7c478bd9Sstevel@tonic-gate2. Estimating the real 'rate' of program outputs is non-trivial 66*7c478bd9Sstevel@tonic-gate 67*7c478bd9Sstevel@tonic-gateThe shear volume of the task is problematic: there are currently 68*7c478bd9Sstevel@tonic-gatearound 50 commands in the ssh_prng_cmds list, portable OpenSSH 69*7c478bd9Sstevel@tonic-gatesupports at least 12 different OSs. That is already 600 sets of data 70*7c478bd9Sstevel@tonic-gateto be analysed, without taking into account the numerous differences 71*7c478bd9Sstevel@tonic-gatebetween versions of each OS. 72*7c478bd9Sstevel@tonic-gate 73*7c478bd9Sstevel@tonic-gateOn top of this, the different commands can produce varying amounts of 74*7c478bd9Sstevel@tonic-gateusable data depending on how busy the machine is, how long it has been 75*7c478bd9Sstevel@tonic-gateup and various other factors. 76*7c478bd9Sstevel@tonic-gate 77*7c478bd9Sstevel@tonic-gateTo make matters even more complex, some of the commands are reporting 78*7c478bd9Sstevel@tonic-gatelargely the same data as other commands (eg. the various "ps" calls). 79*7c478bd9Sstevel@tonic-gate 80