> On Tuesday 11 October 2005 23:24, Darren Tucker wrote:
>> I'm pretty sure it addresses #1, not sure about #2.
>> If you can confirm that it works OK then we can apply it too.

> I can confirm that it fixes the first problem but not the second. I've only
> tried building so far, not running but as I'm running a version I built by
> defaulting the first test I'm fairly confident this patch will behave the
> same.

I've attached another patch which tries to fix the /etc/default/login thing.

> I also noticed that the code to build/etc/ssh/ssh_prng_cmds generates
> commands that work on the host rather than the target when cross compiling.
> This doesn't matter too much as it won't be used unless the user specifies
> --with-rand-helper as it is assumed SSLs PRNG is seeded internally for cross
> compiles but the failure mechanism isn't good - If I'm reading correctly any
> commands not supported on the target will just not be used for entropy
> generation potentially resulting in lower than expected entropy, possibly
> even completely predictable on small systems. As it isn't possible to
> generate this reliably when cross compiling the ideal option would be to
> force the user to supply a file of commands to use if it will be used but I'm
> happy to accept that may be too much effort to be worthwhile for a rare
> problem.

Regardless of the where the commands come from, you still have to have
enough of them working to provide enough entropy (based on the
entropy-per-byte estimates in ssh_prng_cmds) for OpenSSL's prng to
consider itself seeded.

> If you want a cross compile environment to test any future patches in then Dan
> Kegel's crosstool[...]

Thanks, I'll check that out.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

openssh-unix-dev mailing list