topic Re: /dev/random & SSH in Operating System - HP-UX

/dev/random & SSH

Chris Wong — Thu, 06 Feb 2003 17:09:20 GMT

Hi,
I've written up a short paper on using /dev/random with SSH. (Installing, performance & security). I'm interested in feedback regarding the article and especially any experiences other have had in using /dev/random in a production environment (with or without SSH).

http://newfdawg.com/SSHpart5.htm

TIA.
- Chris

Re: /dev/random & SSH

H.Merijn Brand (procura — Thu, 06 Feb 2003 17:16:55 GMT

This is exactly what we are looking for, BUT

It's for 11i only, and we need it for 11.00. Do you have solutions for 11.00 too? Please?

Enjoy, have FUN! H.Merijn

Re: /dev/random & SSH

Chris Wong — Thu, 06 Feb 2003 17:24:34 GMT

Maybe someone from HP can answer the question if/when /dev/random will be available for 11.0.

Otherwise... I'd say update-ux. :->

- Chris

Re: /dev/random & SSH

H.Merijn Brand (procura — Thu, 06 Feb 2003 17:41:33 GMT

*we* could, but *our customers* can't. They will have to use it too. :/

Enjoy, have FUN! H.Merijn

Re: /dev/random & SSH

Jdamian — Fri, 07 Feb 2003 09:16:48 GMT

I'm an HP-UX 11.00 administrator and I'm interested in getting /dev/random on my boxes.

I think HP is very dark in this kind of issues. I also think HP is slow for implementing easy solutions available yes in other Unix environments (as Linux). For instance, it is possible create /dev/zero in HP-UX 11.00 but I cannot find any man page where it is described.

Other issue may be internet security... HP startet support for OpenSSH but HP doesn't support PGP (other interesting security product)

Re: /dev/random & SSH

doug hosking — Fri, 07 Feb 2003 18:47:33 GMT

Sorry, but there are currently no plans to support /dev/random on 11.00.

As for /dev/zero, HP-UX 11.22 a.k.a 11i V1.6 does formally document /dev/zero at last.

Re: /dev/random & SSH

Roger Crettol — Mon, 10 Feb 2003 10:20:09 GMT

Damian,

I can't remember where I picked this up, but
making /dev/zero goes like this :

------------------------------
#!/bin/sh

# major/minor for HPUX 11.X
mknod /dev/zero c 3 4
chown bin:bin /dev/zero
chmod 666 /dev/zero
-------------------------------

Though I don't know what the results of writing to /dev/zero might be ... reading
from it works fine.

-rg-

Re: /dev/random & SSH

Berlene Herren — Tue, 18 Feb 2003 22:45:03 GMT

We do have it here for 11i, I do not know if it will work for 11.0

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=KRNG11I

Berlene

Re: /dev/random & SSH

doug hosking — Tue, 18 Feb 2003 23:28:08 GMT

Berlene, as released it will NOT work on 11.00. This has heavy dependencies on kernel internals and specific kernel patches that vary from release to release. The primary author of the code in question sat directly across the hall from me. Trust me. :-)

Re: /dev/random & SSH

Berlene Herren — Wed, 19 Feb 2003 12:45:25 GMT

Thanks, Doug, glad you said that. But it is there for 11i, and does not come with the native OS.

Berlene

Re: /dev/random & SSH

doug hosking — Wed, 19 Feb 2003 15:47:31 GMT

Sorry, I didn't mean to suggest it could never work on 11.00 with enough effort; just that the currently released bits don't work on 11.00 and that there are currently no plans to backport the code to 11.00.

Re: /dev/random & SSH

P.H. Vogt — Thu, 13 Mar 2003 09:10:54 GMT

Thanks for the install howto, but it seems not to describe the current KRNG11i package.

swlist shows
KRNG11i B.11.11.06 HP-UX 11.11 Strong Random Number Generator

However, no /dev/random or /dev/urandom

a lsdev -e 57 shows

Character Block Driver Class
57 1 dmp vxvm

Also no startup scripts in the package. Any idea how to get the /dev/random devices?

Re: /dev/random & SSH

H.Merijn Brand (procura — Thu, 13 Mar 2003 09:27:42 GMT

We've just installed egd.pl on 11.00, and with little changes to the software, that almost works as /dev/random

http://sourceforge.net/projects/egd/

Enjoy, have FUN! H.Merijn

Re: /dev/random & SSH

Mr Gorski — Thu, 13 Mar 2003 11:43:53 GMT

Is it possible to force OpenSSH binary distribution from software.hp.com to use /dev/random ?

Michal

Re: /dev/random & SSH

Tim Maletic — Thu, 13 Mar 2003 15:57:38 GMT

Chris: your paper looks great, but what I still don't understand is the exact relationship between openssh, openssl, and the entropy source.

Your paper says: "For HP-SSH to utilize the new RNG no configuration changes need to be made to SSH." That doesn't sound right to me. Openssh's configure script attempts to find your entropy sources, and if it cannot find one, it uses its own fallback internal source. Getting openssh to recognize a new source of entropy, like a newly created /dev/urandom, will require a rebuild, unless I'm missing something.

[...tim spends hour playing with this stuff...]

OK, here's what I think happens. Openssl will detect and use a newly created /dev/[u]random at run time, even if that entropy source didn't exist at build time. But Openssh decides whether or not to use its internal entropy source at build time.

So for example, I had PRNGD running when I built openssl (0.9.6g), and then openssh (3.5p1). Now I stop prngd, and remove its socket. Openssh now stops functioning (i.e., the client dies with "Entropy collection failed" message). I then create HP's new /dev/[u]random devices, and -- whamo! -- openssh starts working again.

I suspect this is because openssh was built to use openssl's entropy, and openssl is smart enough to find the new device at run time. But if openssh was built to use its own entropy source, it will never find /dev/[u]random without a rebuild.

So the question for HP is, what entropy source does HP's SSH product use? My guess is that they'll have to ship a new product to make use of the new /dev/[u]random devices.

-Tim

Re: /dev/random & SSH

Jeff Schussele — Thu, 13 Mar 2003 16:07:01 GMT

Hi Tim,

By default, I believe HP uses the ~openssh2/etc/ssh_prng_cmds file for it's source.
It's just a list of commands and bit rates to generate the entropy.

HTH,
Jeff

Re: /dev/random & SSH

Chris Wong — Thu, 13 Mar 2003 16:46:22 GMT

Once you install /dev/random, HP-SSH will start using it without making any changes. Check to make sure it is loaded:

# kmadmin -s
Name ID Status Type
=====================================================
krm 1 LOADED WSIO
rng 2 LOADED WSIO
#
If it's not loading, check /etc/rc.config.d/kminit and SAM/Kernel/Drivers and make sure rng is listed as a loadable module.

Re: /dev/random & SSH

Jeff Schussele — Thu, 13 Mar 2003 17:32:23 GMT

It should be noted that /dev/random is ONLY supported on 11i & higher.
It's not supported on 11.0 & lower.

My $0.02,
Jeff

Re: /dev/random & SSH

Chris Vail — Thu, 13 Mar 2003 17:50:17 GMT

That link is dead to me, but I'd like to read your paper. Can you email it to me: cvail "at" ercot dot com?

Thanks,
Chris

Re: /dev/random & SSH

Chris Wong — Thu, 13 Mar 2003 18:01:53 GMT

Tim,
I think you can figure out the entropy issue by looking at the files in:

/opt/ssh/src/ssh

According to the SSH O'Reilly book: SSH1 and SSH2 use a kernel-based randomness source if it is available, etc....

I think you only need to recompile if you wanted to use an add-on "randomness source", such as EGD, which is what you would need to do with 11.0.

- Chris