forked from rpms/openssh
improve reseeding and seed source (cocumentation)
This commit is contained in:
parent
16e9e62026
commit
91d3b39c03
@ -25,7 +25,7 @@ diff -up openssh-5.8p1/HOWTO.ssh-keycat.keycat openssh-5.8p1/HOWTO.ssh-keycat
|
|||||||
+polyinstantiation of home directories and SELinux MLS policy enabled.
|
+polyinstantiation of home directories and SELinux MLS policy enabled.
|
||||||
+
|
+
|
||||||
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
||||||
+ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-keycat"
|
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
||||||
+ AuthorizedKeysCommandRunAs root
|
+ AuthorizedKeysCommandRunAs root
|
||||||
+
|
+
|
||||||
+Do not forget to enable public key authentication:
|
+Do not forget to enable public key authentication:
|
||||||
|
@ -1,53 +0,0 @@
|
|||||||
diff -up openssh-5.8p1/sshd.c.reseed openssh-5.8p1/sshd.c
|
|
||||||
--- openssh-5.8p1/sshd.c.reseed 2011-03-16 15:48:47.870648161 +0100
|
|
||||||
+++ openssh-5.8p1/sshd.c 2011-03-16 18:55:52.998648933 +0100
|
|
||||||
@@ -225,6 +225,8 @@ static volatile sig_atomic_t key_do_rege
|
|
||||||
static volatile sig_atomic_t received_sighup = 0;
|
|
||||||
static volatile sig_atomic_t received_sigterm = 0;
|
|
||||||
|
|
||||||
+static volatile int need_reseed = 0;
|
|
||||||
+
|
|
||||||
/* session identifier, used by RSA-auth */
|
|
||||||
u_char session_id[16];
|
|
||||||
|
|
||||||
@@ -396,6 +398,9 @@ generate_ephemeral_server_key(void)
|
|
||||||
arc4random_stir();
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Signal handler for the alarm in the accept loop.
|
|
||||||
+ */
|
|
||||||
/*ARGSUSED*/
|
|
||||||
static void
|
|
||||||
key_regeneration_alarm(int sig)
|
|
||||||
@@ -405,6 +410,7 @@ key_regeneration_alarm(int sig)
|
|
||||||
signal(SIGALRM, SIG_DFL);
|
|
||||||
errno = save_errno;
|
|
||||||
key_do_regen = 1;
|
|
||||||
+ need_reseed = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -1277,6 +1285,13 @@ server_accept_loop(int *sock_in, int *so
|
|
||||||
* the child process the connection. The
|
|
||||||
* parent continues listening.
|
|
||||||
*/
|
|
||||||
+ if (need_reseed) {
|
|
||||||
+ seed_rng();
|
|
||||||
+ logit("random reseeded");
|
|
||||||
+ need_reseed = 0;
|
|
||||||
+ signal(SIGALRM, key_regeneration_alarm);
|
|
||||||
+ alarm(options.key_regeneration_time);
|
|
||||||
+ }
|
|
||||||
platform_pre_fork();
|
|
||||||
if ((pid = fork()) == 0) {
|
|
||||||
/*
|
|
||||||
@@ -1836,6 +1852,8 @@ main(int ac, char **av)
|
|
||||||
signal(SIGCHLD, main_sigchld_handler);
|
|
||||||
signal(SIGTERM, sigterm_handler);
|
|
||||||
signal(SIGQUIT, sigterm_handler);
|
|
||||||
+ signal(SIGALRM, key_regeneration_alarm);
|
|
||||||
+ alarm(options.key_regeneration_time);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Write out the pid file after the sigterm handler
|
|
@ -1,15 +0,0 @@
|
|||||||
diff -up openssh-5.8p1/sshd_config.5.reseed2 openssh-5.8p1/sshd_config.5
|
|
||||||
--- openssh-5.8p1/sshd_config.5.reseed2 2011-03-27 19:51:00.881648385 +0200
|
|
||||||
+++ openssh-5.8p1/sshd_config.5 2011-03-27 20:01:31.608759007 +0200
|
|
||||||
@@ -618,7 +618,10 @@ The default is
|
|
||||||
.Dq diffie-hellman-group14-sha1 ,
|
|
||||||
.Dq diffie-hellman-group1-sha1 .
|
|
||||||
.It Cm KeyRegenerationInterval
|
|
||||||
-In protocol version 1, the ephemeral server key is automatically regenerated
|
|
||||||
+The time interval between the OpenSSL random generator reseedings. The generator is reseeded
|
|
||||||
+to prevent the possibility of estimation the next random values. The rancom generator
|
|
||||||
+is not reseeded in the case, that there are no connections.
|
|
||||||
+Additionally in protocol version 1, the ephemeral server key is automatically regenerated
|
|
||||||
after this many seconds (if it has been used).
|
|
||||||
The purpose of regeneration is to prevent
|
|
||||||
decrypting captured sessions by later breaking into the machine and
|
|
@ -115,9 +115,6 @@ Patch104: openssh-5.8p1-audit4a.patch
|
|||||||
Patch5: openssh-5.8p1-audit5.patch
|
Patch5: openssh-5.8p1-audit5.patch
|
||||||
Patch105: openssh-5.8p1-audit5a.patch
|
Patch105: openssh-5.8p1-audit5a.patch
|
||||||
#?
|
#?
|
||||||
Patch6: openssh-5.8p1-reseed.patch
|
|
||||||
Patch106: openssh-5.8p1-reseed2.patch
|
|
||||||
#?
|
|
||||||
Patch7: openssh-5.8p1-entropy.patch
|
Patch7: openssh-5.8p1-entropy.patch
|
||||||
Patch107: openssh-5.8p1-entropy2.patch
|
Patch107: openssh-5.8p1-entropy2.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
|
||||||
@ -340,8 +337,6 @@ The module is most useful for su and sudo service stacks.
|
|||||||
%patch104 -p1 -b .audit4a
|
%patch104 -p1 -b .audit4a
|
||||||
%patch5 -p1 -b .audit5
|
%patch5 -p1 -b .audit5
|
||||||
%patch105 -p1 -b .audit5a
|
%patch105 -p1 -b .audit5a
|
||||||
%patch6 -p1 -b .reseed
|
|
||||||
%patch106 -p1 -b .reseed2
|
|
||||||
%patch7 -p1 -b .entropy
|
%patch7 -p1 -b .entropy
|
||||||
%patch107 -p1 -b .entropy2
|
%patch107 -p1 -b .entropy2
|
||||||
%patch9 -p1 -b .vendor
|
%patch9 -p1 -b .vendor
|
||||||
|
Loading…
Reference in New Issue
Block a user