improve reseeding and seed source (cocumentation)

This commit is contained in:
Jan F 2011-03-28 16:19:03 +02:00
parent 16e9e62026
commit 91d3b39c03
4 changed files with 1 additions and 74 deletions

View File

@ -25,7 +25,7 @@ diff -up openssh-5.8p1/HOWTO.ssh-keycat.keycat openssh-5.8p1/HOWTO.ssh-keycat
+polyinstantiation of home directories and SELinux MLS policy enabled.
+
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
+ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-keycat"
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
+ AuthorizedKeysCommandRunAs root
+
+Do not forget to enable public key authentication:

View File

@ -1,53 +0,0 @@
diff -up openssh-5.8p1/sshd.c.reseed openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.reseed 2011-03-16 15:48:47.870648161 +0100
+++ openssh-5.8p1/sshd.c 2011-03-16 18:55:52.998648933 +0100
@@ -225,6 +225,8 @@ static volatile sig_atomic_t key_do_rege
static volatile sig_atomic_t received_sighup = 0;
static volatile sig_atomic_t received_sigterm = 0;
+static volatile int need_reseed = 0;
+
/* session identifier, used by RSA-auth */
u_char session_id[16];
@@ -396,6 +398,9 @@ generate_ephemeral_server_key(void)
arc4random_stir();
}
+/*
+ * Signal handler for the alarm in the accept loop.
+ */
/*ARGSUSED*/
static void
key_regeneration_alarm(int sig)
@@ -405,6 +410,7 @@ key_regeneration_alarm(int sig)
signal(SIGALRM, SIG_DFL);
errno = save_errno;
key_do_regen = 1;
+ need_reseed = 1;
}
static void
@@ -1277,6 +1285,13 @@ server_accept_loop(int *sock_in, int *so
* the child process the connection. The
* parent continues listening.
*/
+ if (need_reseed) {
+ seed_rng();
+ logit("random reseeded");
+ need_reseed = 0;
+ signal(SIGALRM, key_regeneration_alarm);
+ alarm(options.key_regeneration_time);
+ }
platform_pre_fork();
if ((pid = fork()) == 0) {
/*
@@ -1836,6 +1852,8 @@ main(int ac, char **av)
signal(SIGCHLD, main_sigchld_handler);
signal(SIGTERM, sigterm_handler);
signal(SIGQUIT, sigterm_handler);
+ signal(SIGALRM, key_regeneration_alarm);
+ alarm(options.key_regeneration_time);
/*
* Write out the pid file after the sigterm handler

View File

@ -1,15 +0,0 @@
diff -up openssh-5.8p1/sshd_config.5.reseed2 openssh-5.8p1/sshd_config.5
--- openssh-5.8p1/sshd_config.5.reseed2 2011-03-27 19:51:00.881648385 +0200
+++ openssh-5.8p1/sshd_config.5 2011-03-27 20:01:31.608759007 +0200
@@ -618,7 +618,10 @@ The default is
.Dq diffie-hellman-group14-sha1 ,
.Dq diffie-hellman-group1-sha1 .
.It Cm KeyRegenerationInterval
-In protocol version 1, the ephemeral server key is automatically regenerated
+The time interval between the OpenSSL random generator reseedings. The generator is reseeded
+to prevent the possibility of estimation the next random values. The rancom generator
+is not reseeded in the case, that there are no connections.
+Additionally in protocol version 1, the ephemeral server key is automatically regenerated
after this many seconds (if it has been used).
The purpose of regeneration is to prevent
decrypting captured sessions by later breaking into the machine and

View File

@ -115,9 +115,6 @@ Patch104: openssh-5.8p1-audit4a.patch
Patch5: openssh-5.8p1-audit5.patch
Patch105: openssh-5.8p1-audit5a.patch
#?
Patch6: openssh-5.8p1-reseed.patch
Patch106: openssh-5.8p1-reseed2.patch
#?
Patch7: openssh-5.8p1-entropy.patch
Patch107: openssh-5.8p1-entropy2.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
@ -340,8 +337,6 @@ The module is most useful for su and sudo service stacks.
%patch104 -p1 -b .audit4a
%patch5 -p1 -b .audit5
%patch105 -p1 -b .audit5a
%patch6 -p1 -b .reseed
%patch106 -p1 -b .reseed2
%patch7 -p1 -b .entropy
%patch107 -p1 -b .entropy2
%patch9 -p1 -b .vendor