Enrique Sanchez Vela wrote:
I've been toying with openssh 4.3p2 for a while now on
AIX 5.1 and I am trying to build it with prngd
support, however, everytime I start sshd or issue an
ssh command (whith prngd daemon not running) it just
works fine.
I am building sshd with the following options,
./configure --with-ipaddr-display --with-md5-passwords
--with-privsep-path=/var/empty
--with-privsep-user=sshd --sysconfdir=/etc/ssh/
--with-ssl-dir=/usr/local/ssl --prefix=/usr/local
--with-prngd-port=708 --with-rand-helper=prngd
if anyone could explain the behaivor to me, I would
appreciate.
--with-rand-helper doesn't take any arguments (other than yes/no). What
you're doing there is always building ssh-rand-helper.
Normally, when you run configure, it checks if OpenSSL's RNG is
"self-seeded". For modern versions of OpenSSL, this basically means the
OpenSSL itself checks if there's a decent entropy source on your system
such as /dev/random (which AIX 5.1 doesn't have) or prngd /egd (it
actually only checks for the presence of a prngd/egd socket at a few
default places).
At OpenSSH build time, if the RNG isn't self-seeded configure
automatically builds "ssh-rand-helper", which is an external process
that runs around collecting entropy from various sources, mashing them
together and returning the result to whichever process ran it. This is
then used to seed OpenSSL's RNG, which is then supplies the randomness
used for the ssh/sshd process.
Aat run time, the OpenSSH processes that need the RNG again check if
OpenSSL's considers the RNG self-seeded. OpenSSL checks again, and if
it finds an entropy source it is used. If not, it tells OpenSSH that
it's not self-seeded and OpenSSH runs ssh-rand-helper (if it was built)
or fails with a "PRNG not seeded error" (if it wasn't). You can see
what it's doing by adding "-vvv" to an ssh command line.
Now in your case, you're always building ssh-rand-helper, so even if you
stop prngd, OpenSSH has a source of entropy. If you remove the
--with-rand-helper option from configure and rebuild OpenSSH then you
will probably get the behaviour you expect.
The other thing to bear in mind is that some of these things are
detected at build time *of both OpenSSL and OpenSSH* and some are also
dependant on the versions in question.
ssh-random-helper also knows how to talk to prngd. Before OpenSSH
4.0p1, if configure found prngd at build time then ssh-rand-helper would
fail at run time if prngd wasn't running. From 4.0p1, it will fall back
to collecting entropy from commands in this case (you will usually see
an error from ssh in this case).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
