Community
Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Re: HP Secure Shell 3.61.001 still broken on non /dev/urandom systems

 
SOLVED
Go to solution
Armin Kunaschik
Esteemed Contributor

‎09-18-2003 07:23 AM

‎09-18-2003 07:23 AM

HP Secure Shell 3.61.001 still broken on non /dev/urandom systems

Hi there,

I just installed the new HP ssh 3.61.001 and had to find out that the
ssh_prng_cmds ist still broken.
HP: Your programmers are real funny people. They tried to fix the broken
file and they managed to fix 2 (letters two) lines:


"ls -alni /var/log" /usr/bin/ls 0.02
"ls -alni /var/adm" /usr/bin/ls 0.02
"ls -alni /var/log" @PROG_LS@ 0.02
"ls -alni /var/adm" @PROG_LS@ 0.02
..


These 2 lines are correct now... but all the others are still not.

So I'm asking again: Can you please fix this file so entropy is
generated on non /dev/urandom machines too?
Alternatively you can distribute the RNG patch for 11.00 and 11.22 too...
but I think the first thing is easier.

BTW: Why is there no RNG for 11.22 yet?

Some of the commands in the ssh_prng_cmds file are still not applicable
to HP-UX.. In case you need an exapmle I post my file here:


"ls -alni /var/log" undef 0.02
"ls -alni /var/adm" /bin/ls 0.02
"ls -alni /usr/adm" /bin/ls 0.02
"ls -alni /var/mail" /bin/ls 0.02
"ls -alni /usr/mail" /bin/ls 0.02
"ls -alni /var/adm/syslog" /bin/ls 0.02
"ls -alni /usr/adm/syslog" /bin/ls 0.02
"ls -alni /tmp" /bin/ls 0.02
"ls -alni /var/tmp" /bin/ls 0.02
"ls -alni /usr/tmp" /bin/ls 0.02

"netstat -an" /bin/netstat 0.05
"netstat -in" /bin/netstat 0.05
"netstat -rn" /bin/netstat 0.02
"netstat -p tcp" /bin/netstat 0.02
"netstat -s" /bin/netstat 0.02
"netstat -is" /bin/netstat 0.07

"arp -an" /usr/sbin/arp 0.02

"ps laxww" /bin/ps 0.03
"ps -al" /bin/ps 0.03
"ps -efl" /bin/ps 0.03

"w" /bin/w 0.05

"who -u" /bin/who 0.01

"last" /bin/last 0.01

# Dn't include df here... stale NFS will hang ssh then
#"df" /bin/df 0.01
#"df -i" /bin/df 0.01


"vmstat" /bin/vmstat 0.01
"uptime" /bin/uptime 0.01

"ipcs -a" /bin/ipcs 0.01

"tail -200 /var/adm/syslog/syslog.log" /bin/tail 0.01
"tail -200 /var/adm/syslog/mail.log" /bin/tail 0.01
"tail -200 /usr/tivoli/lcf/dat/1/lcfd.log" /bin/tail 0.01


There is a big chance to fix this in 3.7.1 without much trouble.
I think you have to release this version soon because of the security hole
in all versions prior to 3.7.
See also CERT?? Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH

Best regards,
Armin
And now for something completely different...
0 Kudos
Reply
1 REPLY 1
TEC-HP
Frequent Advisor

‎10-16-2003 07:40 PM

‎10-16-2003 07:40 PM

Solution

Re: HP Secure Shell 3.61.001 still broken on non /dev/urandom systems

Hi,

Experiencing the same problem on 11.00
PRNG seed extration failed
ssh-rand-helper child produced insufficient data
Adapted the ssh_prng_cmds as described above

Thnx a lot
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.