random message "PRNG is not seeded" - SSH

This is a discussion on random message "PRNG is not seeded" - SSH ; hi, I've got a very stange behavior on an embedded system running a Linux kernel 2.4.17 (I know it is quite old...). Previously openSSH 3.7.1p2 was installed and everything worked very well. Now I just upgraded to version 3.9p1 and ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: random message "PRNG is not seeded"

  1. random message "PRNG is not seeded"

    hi,
    I've got a very stange behavior on an embedded system running a Linux
    kernel 2.4.17 (I know it is quite old...). Previously openSSH 3.7.1p2
    was installed and everything worked very well.
    Now I just upgraded to version 3.9p1 and I observed that randomly ssh
    connections to the system fail with error message : "PRNG is not
    seeded". I said randomly because it doesn't happen each time you try to
    connect to the system (no, too simple). In fact I realized there was a
    problem because there is a script running on the system that performes
    localhost connection to the system itself ('ssh account@localhost
    cmde'), and it goes again and again. Frequency is around 2 connections
    per second. And randomly one of those 120 connections per minute fail
    with this message "PRNG is not seeded" and really I don't understand
    what is happening !...
    I saw in openSSH source code that error message comes from entropy.c
    file consequence of bad return value from RAND_status function (openSSL
    lib). I though problem could come because openSSL version was quite old
    too (openSSL 0.9.7c) so I upgraded it to v.0.9.7.1i but no difference.
    What I cannot understand is why most of the time connections are
    successful and sometimes, randomly, one of them fails. Architecture is
    pentium 4 based and nothing special is running on the system when tests
    are performed...


  2. Re: random message "PRNG is not seeded"

    civodul.anonymous@laposte.net writes:

    >hi,
    >I've got a very stange behavior on an embedded system running a Linux
    >kernel 2.4.17 (I know it is quite old...). Previously openSSH 3.7.1p2
    >was installed and everything worked very well.
    >Now I just upgraded to version 3.9p1 and I observed that randomly ssh
    >connections to the system fail with error message : "PRNG is not
    >seeded". I said randomly because it doesn't happen each time you try to
    >connect to the system (no, too simple). In fact I realized there was a
    >problem because there is a script running on the system that performes
    >localhost connection to the system itself ('ssh account@localhost
    >cmde'), and it goes again and again. Frequency is around 2 connections
    >per second. And randomly one of those 120 connections per minute fail
    >with this message "PRNG is not seeded" and really I don't understand
    >what is happening !...


    On an embedded system there is in general very little "entropy : generated
    by the system. No mouse, no keyboard, no hard drive. IF the system uses
    just this entropy, and if the system does not stretch it out with a good
    cryptographic pseudo random number generator, then you WILL run out.
    All such systems should use /dev/urandom, but some people are idiots and
    have them use /dev/random instead.

    Why the hell would you be connecting to the system 2 per second. That just
    sounds insane. Fix that problem and try not to exhaust the ability of the
    system to generate randomness.

    >I saw in openSSH source code that error message comes from entropy.c
    >file consequence of bad return value from RAND_status function (openSSL
    >lib). I though problem could come because openSSL version was quite old
    >too (openSSL 0.9.7c) so I upgraded it to v.0.9.7.1i but no difference.
    >What I cannot understand is why most of the time connections are
    >successful and sometimes, randomly, one of them fails. Architecture is
    >pentium 4 based and nothing special is running on the system when tests
    >are performed...


    That is probably part of th eproblem. NOt enough randomness generated by
    the system.



  3. Re: random message "PRNG is not seeded"


    You can use the controlmaster/controlpath feature of OpenSSH to create a
    single long-lived SSH session, and use multiple channels within that one
    session session where you are using separate SSH connections now. That
    will address the depletion of the random bit source.

    --
    Richard Silverman
    res@qoxp.net


  4. Re: random message "PRNG is not seeded"

    On 2006-06-05, civodul.anonymous@laposte.net wrote:
    > I've got a very stange behavior on an embedded system running a Linux
    > kernel 2.4.17 (I know it is quite old...). Previously openSSH 3.7.1p2
    > was installed and everything worked very well.
    > Now I just upgraded to version 3.9p1 and I observed that randomly ssh
    > connections to the system fail with error message : "PRNG is not
    > seeded".


    This can happen any time OpenSSL can't provide enough entropy, but the
    reason you're probably seeing it more often is that from version 3.9,
    sshd re-execs itself after accepting each connection (this is because it
    makes certain types of exploit harder on some systems).

    A few things that you can try:

    1) make sure you have a /dev/urandom and that it's the correct major,
    minor and has the correct permissions:
    $ ls -l /dev/urandom
    cr--r--r-- 1 root root 1, 9 May 24 03:48 /dev/urandom

    You might want to check /dev/random too.

    2) If you don't have those devices and are using ssh-rand-helper, then
    try 4.3p2 instead of 3.9p2 (as the former passes the random seed to
    the child during the re-exec, and thus sshd needs to reseed itself much
    less frequently.

    2) Try disabling the re-exec code (add the "-r" flag to sshd's command
    line).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  5. Re: random message "PRNG is not seeded"

    Many thanks, your advises were very helpful to me.
    Actually our system do have /dev/random and /dev/urandom devices
    installed. In a previous release, we were running an old 2.4.1 linux
    kernel and everything was ok, even with openSSH 3.9. It seems we broke
    something in /dev/urandom in 2.4.17 (...).

    Thanks and regards.


    Darren Tucker a écrit :

    > On 2006-06-05, civodul.anonymous@laposte.net wrote:
    > > I've got a very stange behavior on an embedded system running a Linux
    > > kernel 2.4.17 (I know it is quite old...). Previously openSSH 3.7.1p2
    > > was installed and everything worked very well.
    > > Now I just upgraded to version 3.9p1 and I observed that randomly ssh
    > > connections to the system fail with error message : "PRNG is not
    > > seeded".

    >
    > This can happen any time OpenSSL can't provide enough entropy, but the
    > reason you're probably seeing it more often is that from version 3.9,
    > sshd re-execs itself after accepting each connection (this is because it
    > makes certain types of exploit harder on some systems).
    >
    > A few things that you can try:
    >
    > 1) make sure you have a /dev/urandom and that it's the correct major,
    > minor and has the correct permissions:
    > $ ls -l /dev/urandom
    > cr--r--r-- 1 root root 1, 9 May 24 03:48 /dev/urandom
    >
    > You might want to check /dev/random too.
    >
    > 2) If you don't have those devices and are using ssh-rand-helper, then
    > try 4.3p2 instead of 3.9p2 (as the former passes the random seed to
    > the child during the re-exec, and thus sshd needs to reseed itself much
    > less frequently.
    >
    > 2) Try disabling the re-exec code (add the "-r" flag to sshd's command
    > line).
    >
    > --
    > Darren Tucker (dtucker at zip.com.au)
    > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    > Good judgement comes with experience. Unfortunately, the experience
    > usually comes from bad judgement.



  6. Re: random message "PRNG is not seeded"


    wrote in message
    news:1149521645.407310.56320@j55g2000cwa.googlegro ups.com...
    > hi,
    > I've got a very stange behavior on an embedded system running a Linux
    > kernel 2.4.17 (I know it is quite old...). Previously openSSH 3.7.1p2
    > was installed and everything worked very well.


    Why aren't you updating to 2.4.20 or later? Even if you're using an old
    retired RedHat release, the Fedora Legacy project has published 2.4.20.



  7. Re: random message "PRNG is not seeded"


    Nico Kadel-Garcia a écrit :

    > wrote in message
    > news:1149521645.407310.56320@j55g2000cwa.googlegro ups.com...
    > > hi,
    > > I've got a very stange behavior on an embedded system running a Linux
    > > kernel 2.4.17 (I know it is quite old...). Previously openSSH 3.7.1p2
    > > was installed and everything worked very well.

    >
    > Why aren't you updating to 2.4.20 or later? Even if you're using an old
    > retired RedHat release, the Fedora Legacy project has published 2.4.20.



    Just because everybody doesn't live in the happy world of "state of the
    art" systems ...
    When you design and maintain a system customized for a specific
    hardware, sometimes you are facing cruel reality of cost development
    and have to deal with ROI.


+ Reply to Thread