Mailing List Archive: [Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error

bugzilla-daemon at mindrot

Jan 3, 2005, 10:51 AM

Post #1 of 10 (314 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

Summary: OpenSSH 3.8p1 PRNG seed extraction failed error
Product: Portable OpenSSH
Version: 3.8p1
Platform: UltraSparc
OS/Version: SunOS
Status: NEW
Severity: major
Priority: P2
Component: scp
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: stephen.berliner@ngc.com

I get these errors while running a Korn shell script which runs installations
on multiple servers from a single server location. some processes are run in
background such as copying files to the servers. During the copy process at
different times between the 5th and 7th process I get these errors.

PRNG seed extraction failed
ssh-rand-helper child produced insufficient data

I have no clue as to what is going on but this same script worked under the
previous version of ssh that only supported ssh1.

Can anyone please help.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error [ In reply to ]

bugzilla-daemon at mindrot

Jan 3, 2005, 10:58 AM

Post #2 of 10 (313 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

------- Additional Comments From stephen.berliner@ngc.com 2005-01-04 05:58 -------
Created an attachment (id=757)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=757&action=view)
deploy korn script that distributes and installs application software on
multiple servers.

This is the script.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error [ In reply to ]

bugzilla-daemon at mindrot

Jan 3, 2005, 10:59 AM

Post #3 of 10 (313 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

------- Additional Comments From stephen.berliner@ngc.com 2005-01-04 05:59 -------
Created an attachment (id=758)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=758&action=view)
sshd_config file

sshd_config file

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error [ In reply to ]

bugzilla-daemon at mindrot

Jan 5, 2005, 2:45 PM

Post #4 of 10 (314 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

------- Additional Comments From dtucker@zip.com.au 2005-01-06 09:45 -------
To figure out what the random helper program is doing (or not doing, as the case
may be) try running "ssh-random-helper -vvv" multiple times, checking if it
fails sometimes and comparing the output between runs.

You'll probably get better results if you install prgnd:
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html

If your OpenSSL is relatively modern, it will search the default places for the
prngd socket so you won't need to recompile OpenSSH after installing prngd, it
will be used automatically.

BTW, what version of SunOS are you running?

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error [ In reply to ]

bugzilla-daemon at mindrot

Jan 7, 2005, 7:14 AM

Post #5 of 10 (316 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

------- Additional Comments From stephen.berliner@ngc.com 2005-01-08 02:14 -------
Created an attachment (id=759)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=759&action=view)
log of ssh-rand-helper -vvv

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error [ In reply to ]

bugzilla-daemon at mindrot

Jan 7, 2005, 7:19 AM

Post #6 of 10 (311 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

------- Additional Comments From stephen.berliner@ngc.com 2005-01-08 02:19 -------
Darren,

Thanks for your response.
running "uname -a" produces the following.

SunOS NNM2 5.8 Generic_108528-29 sun4u sparc SUNW,Ultra-2

I have run ssh-rand-helper -vvv and supplied a log. I ran this command
atleast 25 time and also created a script to run it in background mode and
recieved no errors.

I am not sure of the openssh imstall was done correctly. I am just a user and
the SA's don't seemed to be as bothered as me about this problem.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error [ In reply to ]

bugzilla-daemon at mindrot

Jan 7, 2005, 2:39 PM

Post #7 of 10 (313 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

------- Additional Comments From djm@mindrot.org 2005-01-08 09:39 -------
Created an attachment (id=760)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=760&action=view)
Use temporary file for prng_seed

I wonder if this is a race condition in prng_seed creation/reading. Please give
this patch a try and see if it helps.

You might also want to try some stress-tests on ssh-rand-helper. E.g. something
like this:

for x in 0 1 2 3 4 5 6 7 8 9; do
for y in 0 1 2 3 4; do
sh -c "ssh-rand-helper -vvv > out.$x.$y 2>&1 || echo $x.$y failed" &
done ; done

This will run 50 concurrent ssh-rand-helpers, and should report on failures.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error [ In reply to ]

bugzilla-daemon at mindrot

Jan 9, 2005, 11:48 PM

Post #8 of 10 (312 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |patch

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error [ In reply to ]

bugzilla-daemon at mindrot

Jan 10, 2005, 12:50 AM

Post #9 of 10 (315 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

------- Additional Comments From dtucker@zip.com.au 2005-01-10 19:50 -------
Heh. Don't try that script on a production box, kids (or at least, not in prime
time):
$ uptime
7:42pm up 19 min(s), 3 users, load average: 54.55, 28.04, 14.86

Anyway, I can reproduce it on Solaris 2.5.1. Here's the tail of a failing log:

debug3: Got 0.00 bytes of entropy from 'tail -200 /var/adm/messages'
debug1: Seeded RNG with 4 bytes from programs
debug1: writing PRNG seed to file /home/dtucker/.ssh/prng_seed
PRNG seed extraction failed

Will test patch #760 next.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 968] OpenSSH 3.8p1 PRNG seed extraction failed error [ In reply to ]

bugzilla-daemon at mindrot

Jan 10, 2005, 1:42 AM

Post #10 of 10 (313 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=968

------- Additional Comments From dtucker@zip.com.au 2005-01-10 20:42 -------
The patch made no difference for me (although it still seems like a good idea).

I took a closer look at the logs and the problem appears to be that all of the
commands time out before providing any entropy, eg:

debug3: Reading output from 'uptime'
debug3: Time elapsed: 1073 msec
debug2: Command 'uptime' timed out

I don't see what ssh-rand-helper can do about that aside from upping the timeout.

Stephen, I suggest you ask your admins to install Sun patch 112438-03 (assuming
the box is a SPARC). Installing it by the book requires a reboot, but there are
instructions around for loading the module and creating the device nodes by hand.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.