[openssh] improve reseeding and seed source (cocumentation)

Sun Mar 27 19:57:30 UTC 2011

commit d32174835999ada6f2586dc33494d7959329c96e
Author: Jan F <jfch at kerberos.example.com>
Date:   Sun Mar 27 21:57:14 2011 +0200

    improve reseeding and seed source (cocumentation)

 openssh-5.8p1-entropy2.patch |  126 ++++++++++++++++++++++++++++++++++++++++++
 openssh-5.8p1-reseed2.patch  |   15 +++++
 2 files changed, 141 insertions(+), 0 deletions(-)
---

diff --git a/openssh-5.8p1-entropy2.patch b/openssh-5.8p1-entropy2.patch
new file mode 100644
index 0000000..99d6bf7
--- /dev/null
+++ b/openssh-5.8p1-entropy2.patch
@@ -0,0 +1,126 @@
+diff -up openssh-5.8p1/ssh.1.entropy2 openssh-5.8p1/ssh.1
+--- openssh-5.8p1/ssh.1.entropy2	2010-11-20 05:21:03.000000000 +0100
++++ openssh-5.8p1/ssh.1	2011-03-27 21:42:48.945797624 +0200
+@@ -1250,6 +1250,15 @@ For more information, see the
+ .Cm PermitUserEnvironment
+ option in
+ .Xr sshd_config 5 .
++.It Ev SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++is set to
++.Cm 1 ,
++the OpenSSL random generator is reseed from
++.Cm /dev/random .
+ .Sh FILES
+ .Bl -tag -width Ds -compact
+ .It Pa ~/.rhosts
+diff -up openssh-5.8p1/ssh-add.1.entropy2 openssh-5.8p1/ssh-add.1
+--- openssh-5.8p1/ssh-add.1.entropy2	2010-11-05 00:20:14.000000000 +0100
++++ openssh-5.8p1/ssh-add.1	2011-03-27 21:42:49.001659247 +0200
+@@ -157,6 +157,15 @@ to make this work.)
+ Identifies the path of a
+ .Ux Ns -domain
+ socket used to communicate with the agent.
++.It Ev SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++is set to
++.Cm 1 ,
++the OpenSSL random generator is reseed from
++.Cm /dev/random .
+ .El
+ .Sh FILES
+ .Bl -tag -width Ds
+diff -up openssh-5.8p1/ssh-agent.1.entropy2 openssh-5.8p1/ssh-agent.1
+--- openssh-5.8p1/ssh-agent.1.entropy2	2010-12-01 01:50:35.000000000 +0100
++++ openssh-5.8p1/ssh-agent.1	2011-03-27 21:42:49.056648910 +0200
+@@ -198,6 +198,18 @@ sockets used to contain the connection t
+ These sockets should only be readable by the owner.
+ The sockets should get automatically removed when the agent exits.
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++is set to
++.Cm 1 ,
++the OpenSSL random generator is reseed from
++.Cm /dev/random .
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+diff -up openssh-5.8p1/sshd.8.entropy2 openssh-5.8p1/sshd.8
+--- openssh-5.8p1/sshd.8.entropy2	2010-11-05 00:20:14.000000000 +0100
++++ openssh-5.8p1/sshd.8	2011-03-27 21:42:49.121648754 +0200
+@@ -937,6 +937,18 @@ concurrently for different ports, this c
+ started last).
+ The content of this file is not sensitive; it can be world-readable.
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++is set to
++.Cm 1 ,
++the OpenSSL random generator is reseed from
++.Cm /dev/random .
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,
+diff -up openssh-5.8p1/ssh-keygen.1.entropy2 openssh-5.8p1/ssh-keygen.1
+--- openssh-5.8p1/ssh-keygen.1.entropy2	2010-11-05 00:20:14.000000000 +0100
++++ openssh-5.8p1/ssh-keygen.1	2011-03-27 21:42:49.178648710 +0200
+@@ -655,6 +655,18 @@ Contains Diffie-Hellman groups used for 
+ The file format is described in
+ .Xr moduli 5 .
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++is set to
++.Cm 1 ,
++the OpenSSL random generator is reseed from
++.Cm /dev/random .
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+diff -up openssh-5.8p1/ssh-keysign.8.entropy2 openssh-5.8p1/ssh-keysign.8
+--- openssh-5.8p1/ssh-keysign.8.entropy2	2010-08-31 14:41:14.000000000 +0200
++++ openssh-5.8p1/ssh-keysign.8	2011-03-27 21:43:47.960677527 +0200
+@@ -78,6 +78,18 @@ must be set-uid root if host-based authe
+ If these files exist they are assumed to contain public certificate
+ information corresponding with the private keys above.
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++is set to
++.Cm 1 ,
++the OpenSSL random generator is reseed from
++.Cm /dev/random .
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-keygen 1 ,
diff --git a/openssh-5.8p1-reseed2.patch b/openssh-5.8p1-reseed2.patch
new file mode 100644
index 0000000..5b5d53c
--- /dev/null
+++ b/openssh-5.8p1-reseed2.patch
@@ -0,0 +1,15 @@
+diff -up openssh-5.8p1/sshd_config.5.reseed2 openssh-5.8p1/sshd_config.5
+--- openssh-5.8p1/sshd_config.5.reseed2	2011-03-27 19:51:00.881648385 +0200
++++ openssh-5.8p1/sshd_config.5	2011-03-27 20:01:31.608759007 +0200
+@@ -618,7 +618,10 @@ The default is
+ .Dq diffie-hellman-group14-sha1 ,
+ .Dq diffie-hellman-group1-sha1 .
+ .It Cm KeyRegenerationInterval
+-In protocol version 1, the ephemeral server key is automatically regenerated
++The time interval between the OpenSSL random generator reseedings. The generator is reseeded
++to prevent the possibility of estimation the next random values. The rancom generator 
++is not reseeded in the case, that there are no connections.
++Additionally in protocol version 1, the ephemeral server key is automatically regenerated
+ after this many seconds (if it has been used).
+ The purpose of regeneration is to prevent
+ decrypting captured sessions by later breaking into the machine and
