Security
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: HP Secure Shell 3.61.001 still broken on non /dev/urandom systems

 
SOLVED
Go to solution
Esteemed Contributor

HP Secure Shell 3.61.001 still broken on non /dev/urandom systems

Hi there,

I just installed the new HP ssh 3.61.001 and had to find out that the
ssh_prng_cmds ist still broken.
HP: Your programmers are real funny people. They tried to fix the broken
file and they managed to fix 2 (letters two) lines:


"ls -alni /var/log" /usr/bin/ls 0.02
"ls -alni /var/adm" /usr/bin/ls 0.02
"ls -alni /var/log" @PROG_LS@ 0.02
"ls -alni /var/adm" @PROG_LS@ 0.02
..


These 2 lines are correct now... but all the others are still not.

So I'm asking again: Can you please fix this file so entropy is
generated on non /dev/urandom machines too?
Alternatively you can distribute the RNG patch for 11.00 and 11.22 too...
but I think the first thing is easier.

BTW: Why is there no RNG for 11.22 yet?

Some of the commands in the ssh_prng_cmds file are still not applicable
to HP-UX.. In case you need an exapmle I post my file here:


"ls -alni /var/log" undef 0.02
"ls -alni /var/adm" /bin/ls 0.02
"ls -alni /usr/adm" /bin/ls 0.02
"ls -alni /var/mail" /bin/ls 0.02
"ls -alni /usr/mail" /bin/ls 0.02
"ls -alni /var/adm/syslog" /bin/ls 0.02
"ls -alni /usr/adm/syslog" /bin/ls 0.02
"ls -alni /tmp" /bin/ls 0.02
"ls -alni /var/tmp" /bin/ls 0.02
"ls -alni /usr/tmp" /bin/ls 0.02

"netstat -an" /bin/netstat 0.05
"netstat -in" /bin/netstat 0.05
"netstat -rn" /bin/netstat 0.02
"netstat -p tcp" /bin/netstat 0.02
"netstat -s" /bin/netstat 0.02
"netstat -is" /bin/netstat 0.07

"arp -an" /usr/sbin/arp 0.02

"ps laxww" /bin/ps 0.03
"ps -al" /bin/ps 0.03
"ps -efl" /bin/ps 0.03

"w" /bin/w 0.05

"who -u" /bin/who 0.01

"last" /bin/last 0.01

# Dn't include df here... stale NFS will hang ssh then
#"df" /bin/df 0.01
#"df -i" /bin/df 0.01


"vmstat" /bin/vmstat 0.01
"uptime" /bin/uptime 0.01

"ipcs -a" /bin/ipcs 0.01

"tail -200 /var/adm/syslog/syslog.log" /bin/tail 0.01
"tail -200 /var/adm/syslog/mail.log" /bin/tail 0.01
"tail -200 /usr/tivoli/lcf/dat/1/lcfd.log" /bin/tail 0.01


There is a big chance to fix this in 3.7.1 without much trouble.
I think you have to release this version soon because of the security hole
in all versions prior to 3.7.
See also CERT?? Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH

Best regards,
Armin
And now for something completely different...
1 REPLY 1
Frequent Advisor
Solution

Re: HP Secure Shell 3.61.001 still broken on non /dev/urandom systems

Hi,

Experiencing the same problem on 11.00
PRNG seed extration failed
ssh-rand-helper child produced insufficient data
Adapted the ssh_prng_cmds as described above

Thnx a lot