openssh@baker-net.org.uk wrote:
> On Tuesday 11 October 2005 23:24, Darren Tucker wrote:
>> http://bugzilla.mindrot.org/show_bug.cgi?id=1097
>>
>> I'm pretty sure it addresses #1, not sure about #2.
>>
>> If you can confirm that it works OK then we can apply it too.

>
> I can confirm that it fixes the first problem but not the second. I've only
> tried building so far, not running but as I'm running a version I built by
> defaulting the first test I'm fairly confident this patch will behave the
> same.


I've attached another patch which tries to fix the /etc/default/login thing.

> I also noticed that the code to build/etc/ssh/ssh_prng_cmds generates
> commands that work on the host rather than the target when cross compiling.
> This doesn't matter too much as it won't be used unless the user specifies
> --with-rand-helper as it is assumed SSLs PRNG is seeded internally for cross
> compiles but the failure mechanism isn't good - If I'm reading correctly any
> commands not supported on the target will just not be used for entropy
> generation potentially resulting in lower than expected entropy, possibly
> even completely predictable on small systems. As it isn't possible to
> generate this reliably when cross compiling the ideal option would be to
> force the user to supply a file of commands to use if it will be used but I'm
> happy to accept that may be too much effort to be worthwhile for a rare
> problem.


Regardless of the where the commands come from, you still have to have
enough of them working to provide enough entropy (based on the
entropy-per-byte estimates in ssh_prng_cmds) for OpenSSL's prng to
consider itself seeded.

> If you want a cross compile environment to test any future patches in then Dan
> Kegel's crosstool[...]


Thanks, I'll check that out.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev