improve reseeding and seed source (cocumentation)

2011-03-27 21:57:14 +02:00 · 2011-03-27 21:57:14 +02:00 · d321748359
commit d321748359
parent e6d33e3bc4
2 changed files with 141 additions and 0 deletions
--- a/openssh-5.8p1-entropy2.patch
+++ b/openssh-5.8p1-entropy2.patch
@ -0,0 +1,126 @@
+diff -up openssh-5.8p1/ssh.1.entropy2 openssh-5.8p1/ssh.1
+--- openssh-5.8p1/ssh.1.entropy2	2010-11-20 05:21:03.000000000 +0100
+++ openssh-5.8p1/ssh.1	2011-03-27 21:42:48.945797624 +0200
+@@ -1250,6 +1250,15 @@ For more information, see the
+ .Cm PermitUserEnvironment
+ option in
+ .Xr sshd_config 5 .
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the 
+.Cm SSH_USE_STRONG_RNG
+is set to
+.Cm 1 ,
+the OpenSSL random generator is reseed from
+.Cm /dev/random .
+ .Sh FILES
+ .Bl -tag -width Ds -compact
+ .It Pa ~/.rhosts
+diff -up openssh-5.8p1/ssh-add.1.entropy2 openssh-5.8p1/ssh-add.1
+--- openssh-5.8p1/ssh-add.1.entropy2	2010-11-05 00:20:14.000000000 +0100
+++ openssh-5.8p1/ssh-add.1	2011-03-27 21:42:49.001659247 +0200
+@@ -157,6 +157,15 @@ to make this work.)
+ Identifies the path of a
+ .Ux Ns -domain
+ socket used to communicate with the agent.
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the 
+.Cm SSH_USE_STRONG_RNG
+is set to
+.Cm 1 ,
+the OpenSSL random generator is reseed from
+.Cm /dev/random .
+ .El
+ .Sh FILES
+ .Bl -tag -width Ds
+diff -up openssh-5.8p1/ssh-agent.1.entropy2 openssh-5.8p1/ssh-agent.1
+--- openssh-5.8p1/ssh-agent.1.entropy2	2010-12-01 01:50:35.000000000 +0100
+++ openssh-5.8p1/ssh-agent.1	2011-03-27 21:42:49.056648910 +0200
+@@ -198,6 +198,18 @@ sockets used to contain the connection t
+ These sockets should only be readable by the owner.
+ The sockets should get automatically removed when the agent exits.
+ .El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the 
+.Cm SSH_USE_STRONG_RNG
+is set to
+.Cm 1 ,
+the OpenSSL random generator is reseed from
+.Cm /dev/random .
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+diff -up openssh-5.8p1/sshd.8.entropy2 openssh-5.8p1/sshd.8
+--- openssh-5.8p1/sshd.8.entropy2	2010-11-05 00:20:14.000000000 +0100
+++ openssh-5.8p1/sshd.8	2011-03-27 21:42:49.121648754 +0200
+@@ -937,6 +937,18 @@ concurrently for different ports, this c
+ started last).
+ The content of this file is not sensitive; it can be world-readable.
+ .El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the 
+.Cm SSH_USE_STRONG_RNG
+is set to
+.Cm 1 ,
+the OpenSSL random generator is reseed from
+.Cm /dev/random .
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,
+diff -up openssh-5.8p1/ssh-keygen.1.entropy2 openssh-5.8p1/ssh-keygen.1
+--- openssh-5.8p1/ssh-keygen.1.entropy2	2010-11-05 00:20:14.000000000 +0100
+++ openssh-5.8p1/ssh-keygen.1	2011-03-27 21:42:49.178648710 +0200
+@@ -655,6 +655,18 @@ Contains Diffie-Hellman groups used for 
+ The file format is described in
+ .Xr moduli 5 .
+ .El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the 
+.Cm SSH_USE_STRONG_RNG
+is set to
+.Cm 1 ,
+the OpenSSL random generator is reseed from
+.Cm /dev/random .
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+diff -up openssh-5.8p1/ssh-keysign.8.entropy2 openssh-5.8p1/ssh-keysign.8
+--- openssh-5.8p1/ssh-keysign.8.entropy2	2010-08-31 14:41:14.000000000 +0200
+++ openssh-5.8p1/ssh-keysign.8	2011-03-27 21:43:47.960677527 +0200
+@@ -78,6 +78,18 @@ must be set-uid root if host-based authe
+ If these files exist they are assumed to contain public certificate
+ information corresponding with the private keys above.
+ .El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the 
+.Cm SSH_USE_STRONG_RNG
+is set to
+.Cm 1 ,
+the OpenSSL random generator is reseed from
+.Cm /dev/random .
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-keygen 1 ,
--- a/openssh-5.8p1-reseed2.patch
+++ b/openssh-5.8p1-reseed2.patch
@ -0,0 +1,15 @@
+diff -up openssh-5.8p1/sshd_config.5.reseed2 openssh-5.8p1/sshd_config.5
+--- openssh-5.8p1/sshd_config.5.reseed2	2011-03-27 19:51:00.881648385 +0200
+++ openssh-5.8p1/sshd_config.5	2011-03-27 20:01:31.608759007 +0200
+@@ -618,7 +618,10 @@ The default is
+ .Dq diffie-hellman-group14-sha1 ,
+ .Dq diffie-hellman-group1-sha1 .
+ .It Cm KeyRegenerationInterval
+-In protocol version 1, the ephemeral server key is automatically regenerated
+The time interval between the OpenSSL random generator reseedings. The generator is reseeded
+to prevent the possibility of estimation the next random values. The rancom generator 
+is not reseeded in the case, that there are no connections.
+Additionally in protocol version 1, the ephemeral server key is automatically regenerated
+ after this many seconds (if it has been used).
+ The purpose of regeneration is to prevent
+ decrypting captured sessions by later breaking into the machine and