This is a discussion on RE: prngd usage on OpenSsh4.3p2 - openssh ; Hi guys, my company is switching over to ssh and we have an old RS6000 that is running AIX 4.2 that we have to install ssh on. Is there a package that I can download to install it like Sun ...
Hi guys, my company is switching over to ssh and we have an old RS6000
that is running AIX 4.2 that we have to install ssh on. Is there a
package that I can download to install it like Sun has? I'm having
trouble with the info that I got and don't have any install
instructions. Any help would be great. Thanks guys!!
From: Darren Tucker [mailto:firstname.lastname@example.org]=20
Sent: Friday, April 07, 2006 11:46 PM
To: Enrique Sanchez Vela
Subject: Re: prngd usage on OpenSsh4.3p2
Enrique Sanchez Vela wrote:
> I've been toying with openssh 4.3p2 for a while now on
> AIX 5.1 and I am trying to build it with prngd
> support, however, everytime I start sshd or issue an
> ssh command (whith prngd daemon not running) it just
> works fine.
> I am building sshd with the following options,=20
> ./configure --with-ipaddr-display --with-md5-passwords
> --with-privsep-user=3Dsshd --sysconfdir=3D/etc/ssh/
> --with-ssl-dir=3D/usr/local/ssl --prefix=3D/usr/local
> --with-prngd-port=3D708 --with-rand-helper=3Dprngd
> if anyone could explain the behaivor to me, I would
--with-rand-helper doesn't take any arguments (other than yes/no). What
you're doing there is always building ssh-rand-helper.
Normally, when you run configure, it checks if OpenSSL's RNG is=20
"self-seeded". For modern versions of OpenSSL, this basically means the
OpenSSL itself checks if there's a decent entropy source on your system=20
such as /dev/random (which AIX 5.1 doesn't have) or prngd /egd (it=20
actually only checks for the presence of a prngd/egd socket at a few=20
At OpenSSH build time, if the RNG isn't self-seeded configure=20
automatically builds "ssh-rand-helper", which is an external process=20
that runs around collecting entropy from various sources, mashing them=20
together and returning the result to whichever process ran it. This is=20
then used to seed OpenSSL's RNG, which is then supplies the randomness=20
used for the ssh/sshd process.
Aat run time, the OpenSSH processes that need the RNG again check if=20
OpenSSL's considers the RNG self-seeded. OpenSSL checks again, and if=20
it finds an entropy source it is used. If not, it tells OpenSSH that=20
it's not self-seeded and OpenSSH runs ssh-rand-helper (if it was built)=20
or fails with a "PRNG not seeded error" (if it wasn't). You can see=20
what it's doing by adding "-vvv" to an ssh command line.
Now in your case, you're always building ssh-rand-helper, so even if you
stop prngd, OpenSSH has a source of entropy. If you remove the=20
--with-rand-helper option from configure and rebuild OpenSSH then you=20
will probably get the behaviour you expect.
The other thing to bear in mind is that some of these things are=20
detected at build time *of both OpenSSL and OpenSSH* and some are also=20
dependant on the versions in question.
ssh-random-helper also knows how to talk to prngd. Before OpenSSH=20
4.0p1, if configure found prngd at build time then ssh-rand-helper would
fail at run time if prngd wasn't running. From 4.0p1, it will fall back
to collecting entropy from commands in this case (you will usually see=20
an error from ssh in this case).
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.