Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 04 Jun 2008 11:00:48 -0800
From: Jonathan Smith <smithj@...ethemallocs.com>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSH key blacklisting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The Fungi wrote:
| Not to be argumentative, but have you installed OpenBSD lately
| (effectively the reference platform for OpenSSH development)? For
| years, its base install has run sshd by default, generated host keys
| at first boot, and not prompted at the console for human interaction
| to augment entropy for this process. I find it hard to blame this
| *particular* behavior on Debian (unless you're suggesting that they
| strong-armed OpenSSH upstream to integrate these changes on their
| behalf?).

rPath also auto-generates keys using the initscript found in the openssh
source. In the unpacked tarball, it is called contrib/redhat/sshd.init.
So, presumably, Red Hat does the same. Key generation pulls random bits
from /dev/random, though, and thus blocks until enough randomness is
available. That actually caused me some problems once when the machine
hung on first-boot until it got enough disk interrupts or whatever.

	smithj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkhG5mAACgkQCG91qXPaRenT1wCeOQF0FIJ4mGzu6t7kgyktngML
AEAAn2rvxOY/txkB44bXgvMk2l1eUElA
=ldUl
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux