From d32174835999ada6f2586dc33494d7959329c96e Mon Sep 17 00:00:00 2001 From: Jan F Date: Sun, 27 Mar 2011 21:57:14 +0200 Subject: [PATCH] improve reseeding and seed source (cocumentation) --- openssh-5.8p1-entropy2.patch | 126 +++++++++++++++++++++++++++++++++++ openssh-5.8p1-reseed2.patch | 15 +++++ 2 files changed, 141 insertions(+) create mode 100644 openssh-5.8p1-entropy2.patch create mode 100644 openssh-5.8p1-reseed2.patch diff --git a/openssh-5.8p1-entropy2.patch b/openssh-5.8p1-entropy2.patch new file mode 100644 index 0000000..99d6bf7 --- /dev/null +++ b/openssh-5.8p1-entropy2.patch @@ -0,0 +1,126 @@ +diff -up openssh-5.8p1/ssh.1.entropy2 openssh-5.8p1/ssh.1 +--- openssh-5.8p1/ssh.1.entropy2 2010-11-20 05:21:03.000000000 +0100 ++++ openssh-5.8p1/ssh.1 2011-03-27 21:42:48.945797624 +0200 +@@ -1250,6 +1250,15 @@ For more information, see the + .Cm PermitUserEnvironment + option in + .Xr sshd_config 5 . ++.It Ev SSH_USE_STRONG_RNG ++The reseeding of the OpenSSL random generator is usually done from ++.Cm /dev/urandom . ++If the ++.Cm SSH_USE_STRONG_RNG ++is set to ++.Cm 1 , ++the OpenSSL random generator is reseed from ++.Cm /dev/random . + .Sh FILES + .Bl -tag -width Ds -compact + .It Pa ~/.rhosts +diff -up openssh-5.8p1/ssh-add.1.entropy2 openssh-5.8p1/ssh-add.1 +--- openssh-5.8p1/ssh-add.1.entropy2 2010-11-05 00:20:14.000000000 +0100 ++++ openssh-5.8p1/ssh-add.1 2011-03-27 21:42:49.001659247 +0200 +@@ -157,6 +157,15 @@ to make this work.) + Identifies the path of a + .Ux Ns -domain + socket used to communicate with the agent. ++.It Ev SSH_USE_STRONG_RNG ++The reseeding of the OpenSSL random generator is usually done from ++.Cm /dev/urandom . ++If the ++.Cm SSH_USE_STRONG_RNG ++is set to ++.Cm 1 , ++the OpenSSL random generator is reseed from ++.Cm /dev/random . + .El + .Sh FILES + .Bl -tag -width Ds +diff -up openssh-5.8p1/ssh-agent.1.entropy2 openssh-5.8p1/ssh-agent.1 +--- openssh-5.8p1/ssh-agent.1.entropy2 2010-12-01 01:50:35.000000000 +0100 ++++ openssh-5.8p1/ssh-agent.1 2011-03-27 21:42:49.056648910 +0200 +@@ -198,6 +198,18 @@ sockets used to contain the connection t + These sockets should only be readable by the owner. + The sockets should get automatically removed when the agent exits. + .El ++.Sh ENVIRONMENT ++.Bl -tag -width Ds -compact ++.Pp ++.It Pa SSH_USE_STRONG_RNG ++The reseeding of the OpenSSL random generator is usually done from ++.Cm /dev/urandom . ++If the ++.Cm SSH_USE_STRONG_RNG ++is set to ++.Cm 1 , ++the OpenSSL random generator is reseed from ++.Cm /dev/random . + .Sh SEE ALSO + .Xr ssh 1 , + .Xr ssh-add 1 , +diff -up openssh-5.8p1/sshd.8.entropy2 openssh-5.8p1/sshd.8 +--- openssh-5.8p1/sshd.8.entropy2 2010-11-05 00:20:14.000000000 +0100 ++++ openssh-5.8p1/sshd.8 2011-03-27 21:42:49.121648754 +0200 +@@ -937,6 +937,18 @@ concurrently for different ports, this c + started last). + The content of this file is not sensitive; it can be world-readable. + .El ++.Sh ENVIRONMENT ++.Bl -tag -width Ds -compact ++.Pp ++.It Pa SSH_USE_STRONG_RNG ++The reseeding of the OpenSSL random generator is usually done from ++.Cm /dev/urandom . ++If the ++.Cm SSH_USE_STRONG_RNG ++is set to ++.Cm 1 , ++the OpenSSL random generator is reseed from ++.Cm /dev/random . + .Sh SEE ALSO + .Xr scp 1 , + .Xr sftp 1 , +diff -up openssh-5.8p1/ssh-keygen.1.entropy2 openssh-5.8p1/ssh-keygen.1 +--- openssh-5.8p1/ssh-keygen.1.entropy2 2010-11-05 00:20:14.000000000 +0100 ++++ openssh-5.8p1/ssh-keygen.1 2011-03-27 21:42:49.178648710 +0200 +@@ -655,6 +655,18 @@ Contains Diffie-Hellman groups used for + The file format is described in + .Xr moduli 5 . + .El ++.Sh ENVIRONMENT ++.Bl -tag -width Ds -compact ++.Pp ++.It Pa SSH_USE_STRONG_RNG ++The reseeding of the OpenSSL random generator is usually done from ++.Cm /dev/urandom . ++If the ++.Cm SSH_USE_STRONG_RNG ++is set to ++.Cm 1 , ++the OpenSSL random generator is reseed from ++.Cm /dev/random . + .Sh SEE ALSO + .Xr ssh 1 , + .Xr ssh-add 1 , +diff -up openssh-5.8p1/ssh-keysign.8.entropy2 openssh-5.8p1/ssh-keysign.8 +--- openssh-5.8p1/ssh-keysign.8.entropy2 2010-08-31 14:41:14.000000000 +0200 ++++ openssh-5.8p1/ssh-keysign.8 2011-03-27 21:43:47.960677527 +0200 +@@ -78,6 +78,18 @@ must be set-uid root if host-based authe + If these files exist they are assumed to contain public certificate + information corresponding with the private keys above. + .El ++.Sh ENVIRONMENT ++.Bl -tag -width Ds -compact ++.Pp ++.It Pa SSH_USE_STRONG_RNG ++The reseeding of the OpenSSL random generator is usually done from ++.Cm /dev/urandom . ++If the ++.Cm SSH_USE_STRONG_RNG ++is set to ++.Cm 1 , ++the OpenSSL random generator is reseed from ++.Cm /dev/random . + .Sh SEE ALSO + .Xr ssh 1 , + .Xr ssh-keygen 1 , diff --git a/openssh-5.8p1-reseed2.patch b/openssh-5.8p1-reseed2.patch new file mode 100644 index 0000000..5b5d53c --- /dev/null +++ b/openssh-5.8p1-reseed2.patch @@ -0,0 +1,15 @@ +diff -up openssh-5.8p1/sshd_config.5.reseed2 openssh-5.8p1/sshd_config.5 +--- openssh-5.8p1/sshd_config.5.reseed2 2011-03-27 19:51:00.881648385 +0200 ++++ openssh-5.8p1/sshd_config.5 2011-03-27 20:01:31.608759007 +0200 +@@ -618,7 +618,10 @@ The default is + .Dq diffie-hellman-group14-sha1 , + .Dq diffie-hellman-group1-sha1 . + .It Cm KeyRegenerationInterval +-In protocol version 1, the ephemeral server key is automatically regenerated ++The time interval between the OpenSSL random generator reseedings. The generator is reseeded ++to prevent the possibility of estimation the next random values. The rancom generator ++is not reseeded in the case, that there are no connections. ++Additionally in protocol version 1, the ephemeral server key is automatically regenerated + after this many seconds (if it has been used). + The purpose of regeneration is to prevent + decrypting captured sessions by later breaking into the machine and