xref: /titanic_41/usr/src/cmd/ssh/doc/WARNING.RNG (revision cde2885fdf538266ee2a3b08dee2d5075ce8fa2b)
1This document contains a description of portable OpenSSH's random
2number collection code. An alternate reading of this text could
3well be titled "Why I should pressure my system vendor to supply
4/dev/random in their OS".
5
6Why is this important? OpenSSH depends on good, unpredictable numbers
7for generating keys, performing digital signatures and forming
8cryptographic challenges. If the random numbers that it uses are
9predictable, then the strength of the whole system is compromised.
10
11A particularly pernicious problem arises with DSA keys (used by the
12ssh2 protocol). Performing a DSA signature (which is required for
13authentication), entails the use of a 160 bit random number.  If an
14attacker can predict this number, then they can deduce your *private*
15key and impersonate you or your hosts.
16
17If you are using the builtin random number support (configure will
18tell you if this is the case), then read this document in its entirety.
19
20Please also request that your OS vendor provides a kernel-based random
21number collector (/dev/random) in future versions of your operating
22systems by default.
23
24On to the description...
25
26The portable OpenSSH contains random number collection support for
27systems which lack a kernel entropy pool (/dev/random).
28
29This collector operates by executing the programs listed in
30($etcdir)/ssh_prng_cmds, reading their output and adding it to the
31PRNG supplied by OpenSSL (which is hash-based). It also stirs in the
32output of several system calls and timings from the execution of the
33programs that it runs.
34
35The ssh_prng_cmds file also specifies a 'rate' for each program. This
36represents the number of bits of randomness per byte of output from
37the specified program.
38
39The random number code will also read and save a seed file to
40~/.ssh/prng_seed. This contents of this file are added to the random
41number generator at startup. The goal here is to maintain as much
42randomness between sessions as possible.
43
44The entropy collection code has two main problems:
45
461. It is slow.
47
48Executing each program in the list can take a large amount of time,
49especially on slower machines. Additionally some program can take a
50disproportionate time to execute.
51
52This can be tuned by the administrator. To debug the entropy
53collection is great detail, turn on full debugging ("ssh -v -v -v" or
54"sshd -d -d -d"). This will list each program as it is executed, how
55long it took to execute, its exit status and whether and how much data
56it generated. You can the find the culprit programs which are causing
57the real slow-downs.
58
59The entropy collector will timeout programs which take too long
60to execute, the actual timeout used can be adjusted with the
61--with-entropy-timeout configure option. OpenSSH will not try to
62re-execute programs which have not been found, have had a non-zero
63exit status or have timed out more than a couple of times.
64
652. Estimating the real 'rate' of program outputs is non-trivial
66
67The shear volume of the task is problematic: there are currently
68around 50 commands in the ssh_prng_cmds list, portable OpenSSH
69supports at least 12 different OSs. That is already 600 sets of data
70to be analysed, without taking into account the numerous differences
71between versions of each OS.
72
73On top of this, the different commands can produce varying amounts of
74usable data depending on how busy the machine is, how long it has been
75up and various other factors.
76
77To make matters even more complex, some of the commands are reporting
78largely the same data as other commands (eg. the various "ps" calls).
79
80