- (djm) Random number collection doc fixes from Ben

2002-04-14 23:16:04 +10:00 · 2002-04-14 23:16:04 +10:00 · 49411ff8a7
parent 32e4818015
commit 49411ff8a7
3 changed files with 27 additions and 17 deletions
--- a/3
+++ b/3
@ -3,6 +3,7 @@
   - Add commandline debugging options
   - Don't write binary data if stdout is a tty (use hex instead)
   - Give it a manpage
+ - (djm) Random number collection doc fixes from Ben

 20020413
 - (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk>
@ -8240,4 +8241,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1

-$Id: ChangeLog,v 1.2052 2002/04/14 09:27:12 djm Exp $
+$Id: ChangeLog,v 1.2053 2002/04/14 13:16:04 djm Exp $
--- a/6
+++ b/6
@ -108,10 +108,6 @@ different name.
 need a working installation of GNOME, including the development
 headers, for this to work.

--with-random=/some/file allows you to specify an alternate source of
-random numbers (the default is /dev/urandom). Unless you are absolutely
-sure of what you are doing, it is best to leave this alone.
-
 --with-prngd-socket=/some/file allows you to enable EGD or PRNGD 
 support and to specify a PRNGd socket. Use this if your Unix lacks 
 /dev/random and you don't want to use OpenSSH's builtin entropy 
@ -222,4 +218,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/


-$Id: INSTALL,v 1.50 2002/04/05 16:11:46 mouring Exp $
+$Id: INSTALL,v 1.51 2002/04/14 13:16:05 djm Exp $
--- a/WARNING.RNG
+++ b/WARNING.RNG
@ -28,8 +28,12 @@ On to the description...
 The portable OpenSSH contains random number collection support for
 systems which lack a kernel entropy pool (/dev/random).

-This collector operates by executing the programs listed in
-($etcdir)/ssh_prng_cmds, reading their output and adding it to the
+This collector (as of 3.1 and beyond) comes as an external application
+that allows the local admin to decide on how to implement entropy
+collection.
+
+The default entropy collector operates by executing the programs listed
+in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the
 PRNG supplied by OpenSSL (which is hash-based). It also stirs in the
 output of several system calls and timings from the execution of the
 programs that it runs.
@ -43,7 +47,7 @@ The random number code will also read and save a seed file to
 number generator at startup. The goal here is to maintain as much 
 randomness between sessions as possible.

-The entropy collection code has two main problems:
+The default entropy collection code has two main problems:

 1. It is slow.

@ -51,14 +55,13 @@ Executing each program in the list can take a large amount of time,
 especially on slower machines. Additionally some program can take a   
 disproportionate time to execute.                                     

-This can be tuned by the administrator. To debug the entropy
-collection is great detail, turn on full debugging ("ssh -v -v -v" or
-"sshd -d -d -d"). This will list each program as it is executed, how
-long it took to execute, its exit status and whether and how much data
-it generated. You can the find the culprit programs which are causing
-the real slow-downs.
+Tuning the default entropy collection code is difficult at this point.
+It requires doing 'times ./ssh-rand-helper'  and modifying the
+($etcdir)/ssh_prng_cmds until you have found the issue.  In the next
+release we will be looking at support '-v' for verbose output to allow
+easier debugging.

-The entropy collector will timeout programs which take too long
+The default entropy collector will timeout programs which take too long
 to execute, the actual timeout used can be adjusted with the
 --with-entropy-timeout configure option. OpenSSH will not try to
 re-execute programs which have not been found, have had a non-zero
@ -79,5 +82,15 @@ up and various other factors.
 To make matters even more complex, some of the commands are reporting
 largely the same data as other commands (eg. the various "ps" calls).

-$Id: WARNING.RNG,v 1.4 2001/02/09 01:55:36 djm Exp $

+How to avoid the default entropy code?
+
+The best way is to read the OpenSSL documentation and recompile OpenSSL
+to use prngd or egd.  Some platforms (like earily solaris) have 3rd
+party /dev/random devices that can be also used for this task.
+
+If you are forced to use ssh-rand-helper consider still downloading
+prngd/egd and configure OpenSSH using --with-prngd-port=xx or
+--with-prngd-socket=xx (refer to INSTALL for more information).
+
+$Id: WARNING.RNG,v 1.5 2002/04/14 13:16:05 djm Exp $