Hi guys, my company is switching over to ssh and we have an old RS6000
that is running AIX 4.2 that we have to install ssh on. Is there a
package that I can download to install it like Sun has? I'm having
trouble with the info that I got and don't have any install
instructions. Any help would be great. Thanks guys!!

-----Original Message-----
From: Darren Tucker [mailto:dtucker@zip.com.au]=20
Sent: Friday, April 07, 2006 11:46 PM
To: Enrique Sanchez Vela
Cc: secureshell@securityfocus.com
Subject: Re: prngd usage on OpenSsh4.3p2

Enrique Sanchez Vela wrote:
> I've been toying with openssh 4.3p2 for a while now on
> AIX 5.1 and I am trying to build it with prngd
> support, however, everytime I start sshd or issue an
> ssh command (whith prngd daemon not running) it just
> works fine.
> I am building sshd with the following options,=20
> ./configure --with-ipaddr-display --with-md5-passwords
> --with-privsep-path=3D/var/empty
> --with-privsep-user=3Dsshd --sysconfdir=3D/etc/ssh/
> --with-ssl-dir=3D/usr/local/ssl --prefix=3D/usr/local
> --with-prngd-port=3D708 --with-rand-helper=3Dprngd
> if anyone could explain the behaivor to me, I would
> appreciate.

--with-rand-helper doesn't take any arguments (other than yes/no). What

you're doing there is always building ssh-rand-helper.

Normally, when you run configure, it checks if OpenSSL's RNG is=20
"self-seeded". For modern versions of OpenSSL, this basically means the

OpenSSL itself checks if there's a decent entropy source on your system=20
such as /dev/random (which AIX 5.1 doesn't have) or prngd /egd (it=20
actually only checks for the presence of a prngd/egd socket at a few=20
default places).

At OpenSSH build time, if the RNG isn't self-seeded configure=20
automatically builds "ssh-rand-helper", which is an external process=20
that runs around collecting entropy from various sources, mashing them=20
together and returning the result to whichever process ran it. This is=20
then used to seed OpenSSL's RNG, which is then supplies the randomness=20
used for the ssh/sshd process.

Aat run time, the OpenSSH processes that need the RNG again check if=20
OpenSSL's considers the RNG self-seeded. OpenSSL checks again, and if=20
it finds an entropy source it is used. If not, it tells OpenSSH that=20
it's not self-seeded and OpenSSH runs ssh-rand-helper (if it was built)=20
or fails with a "PRNG not seeded error" (if it wasn't). You can see=20
what it's doing by adding "-vvv" to an ssh command line.

Now in your case, you're always building ssh-rand-helper, so even if you

stop prngd, OpenSSH has a source of entropy. If you remove the=20
--with-rand-helper option from configure and rebuild OpenSSH then you=20
will probably get the behaviour you expect.

The other thing to bear in mind is that some of these things are=20
detected at build time *of both OpenSSL and OpenSSH* and some are also=20
dependant on the versions in question.

ssh-random-helper also knows how to talk to prngd. Before OpenSSH=20
4.0p1, if configure found prngd at build time then ssh-rand-helper would

fail at run time if prngd wasn't running. From 4.0p1, it will fall back

to collecting entropy from commands in this case (you will usually see=20
an error from ssh in this case).

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.