Bugtraq mailing list archives

Re: ssh host key generation in Red Hat Linux

From: Crispin Cowan <crispin () immunix com>
Date: Fri, 25 Jul 2003 11:29:51 -0700

Kent Borg wrote:

I recently installed Red Hat Linux 9 and noticed on the first boot a
message about generating ssh host keys.  Isn't that a dangerous thing
to do on the first boot?  Where is the installation going to get
enough good entropy so early in its life?

Maybe the paranoid thing to do is, as part of configuring a machine,
to regenerate those keys once user interaction (or other entropy
source) has had time to really stir the Linux entropy pool.

SSH is likely getting it's entropy from /dev/random. The kernel willdecide whether there is enough entropy in the /dev/random entropy pool,and block reads until the pool fills.

This pool, in turn, is going to have pleanty of entropy generated bytiming jitter in disk I/O interrupts.


To experiment with this, run the command:

cat /dev/random | od -cx

It will dump for a while and then stop. Then type a key. Then move yourmouse. Wait for a cron job to start up and watch what it does. Etc. etc.

Disclaimer: there is dispute in the crypto community about the hashingdone in /dev/urandom (note the 'u') which never blocks. /dev/urandomjust recycles the entropy pool with a PRNG, and people have variablefaith in the quality of PRNG's.


Crispin

--
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
           http://www.immunix.com/shop/

Current thread:

ssh host key generation in Red Hat Linux Kent Borg (Jul 25)
- Re: ssh host key generation in Red Hat Linux Crispin Cowan (Jul 25)
  - Re: ssh host key generation in Red Hat Linux Brian Hatch (Jul 25)
  - Message not available
    - Re: ssh host key generation in Red Hat Linux Kent Borg (Jul 25)
  - Re: ssh host key generation in Red Hat Linux Aaron Lehmann (Jul 26)