Mailing List Archive

Tim-

You need to use the Entropy Gathering Daemon (EGD) developed by Brian
Werner. The EGD collects entropy from various OS/Solaris facilities,
creating an entropy pool for random number generation. Read the readme
included with the distribution of OpenSSH and visit
http://www.lothar.com/tech/crypto/ for the EGD source and documentation.

Mahalo,
Ryan

RYAN J. HUNTER
Senior UNIX Systems Administrator
Stockwalk.com Group, Inc. -- Information Architecture
email: rhunter@stockwalkgroup.com ph: 612-542-3538

-----Original Message-----
From: tnibbe [mailto:tnibbe@sprint.net]
Sent: Tuesday, March 28, 2000 2:16 PM
To: openssh-unix-dev@mindrot.org
Subject: /etc/urandom and Solaris


I feel very silly asking this, because I saw the answer to this question one

time and can't remember what it was. OpenSSH uses /dev/urandom or
/dev/random
which Solaris does not have (verified with a call to the Sun software
folks).
How do I make OpenSSH happy with a Solaris substitute for /etc/urandom?

Thanks

Tim Nibbe
Supervisor of System Administration
Sprint IP Dial Support Services

This probably should have made it into some of the OpenSSH doco by now (*hint*)

Sun *does* have a /dev/random, and it works with OpenSSH

It's not bundled, it's part of the package SUNWski.

You can find SUNWski on Sunsolve if you go scanning through the
patch reports.

Carl

On Wed, Mar 29, 2000 at 07:27:12AM +1000, Carl Brewer wrote:
> Sun *does* have a /dev/random, and it works with OpenSSH
>
> It's not bundled, it's part of the package SUNWski.
>
> You can find SUNWski on Sunsolve if you go scanning through the
> patch reports.

I for one would appreciate seeing a specific URL to get it from.
There's precious little free time (for me, anyway) for surfing on the
hope I might find something.

--
Willard Francis Otto Dawson +1 770 814 5099 / +1 770 814 5202 FAX
Siemens Business Services, ENS mailto:willard.dawson@sbs.siemens.com
4570 River Green Pkwy, Ste 140 http://www.sbs.siemens.com/
Duluth, GA 30096-2564 Standard disclaimer applies.

Carl Brewer wrote:
>
> Sun *does* have a /dev/random, and it works with OpenSSH
>
> It's not bundled, it's part of the package SUNWski.
>
> You can find SUNWski on Sunsolve if you go scanning through the
> patch reports.

Hmmm... There are both international and domestic versions of the
Sun Web Server patch that contains SUNWski. One can only download
the international version with no crypto. Will the international
version have a functioning /dev/random, or will I have to get the
folks at 1-800-USA4SUN to send me a tape?

Also, the above patches are from 1998. I need this to work on
Solaris 8. Has anybody tried this? Or am I back to 1-800-USA4SUN?

Thanks!

Paul Allen
--
Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964
Unix Technical Support | paul.l.allen@boeing.com
Boeing Phantom Works Math & Computing Technology Site Operations,
POB 3707 M/S 7L-68, Seattle, WA 98124-2207

On Tue, 28 Mar 2000, Paul Allen wrote:

> Hmmm... There are both international and domestic versions of the
> Sun Web Server patch that contains SUNWski. One can only download
> the international version with no crypto. Will the international
> version have a functioning /dev/random, or will I have to get the
> folks at 1-800-USA4SUN to send me a tape?

If you can find a URL from which the package can be downloaded I
would love to include it in the docs.

Regards,
Damien Miller


--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)

> Carl Brewer wrote:
> >
> > Sun *does* have a /dev/random, and it works with OpenSSH
> >
> > It's not bundled, it's part of the package SUNWski.
> >
> > You can find SUNWski on Sunsolve if you go scanning through the
> > patch reports.
>
> Hmmm... There are both international and domestic versions of the
> Sun Web Server patch that contains SUNWski. One can only download
> the international version with no crypto. Will the international
> version have a functioning /dev/random, or will I have to get the
> folks at 1-800-USA4SUN to send me a tape?

I don't know the story wrt the versions, but the one that I have
I got from SunSolve by searchign for /dev/random in the patch
reports, and finding SUNWski, and then downloading the patch,
pulling out the package and applying it. It works on Solaris 2.6, 7
and 8ea (personal experience).

Carl

Carl Brewer wrote:
>
> > Carl Brewer wrote:
> > >
> > > Sun *does* have a /dev/random, and it works with OpenSSH
> > >
> > > It's not bundled, it's part of the package SUNWski.
> > >
> > > You can find SUNWski on Sunsolve if you go scanning through the
> > > patch reports.
> >
> > Hmmm... There are both international and domestic versions of the
> > Sun Web Server patch that contains SUNWski. One can only download
> > the international version with no crypto. Will the international
> > version have a functioning /dev/random, or will I have to get the
> > folks at 1-800-USA4SUN to send me a tape?
>
> I don't know the story wrt the versions, but the one that I have
> I got from SunSolve by searchign for /dev/random in the patch
> reports, and finding SUNWski, and then downloading the patch,
> pulling out the package and applying it. It works on Solaris 2.6, 7
> and 8ea (personal experience).

OK, it's just like Carl says. Download patch 105710-01 (this is the
SPARC version) from SunSolve. If you have a SunSolve account, you
know how to do this. Unpack the patch and do something like:

pkgadd -d 105710-01

Have it install the SUNWski package. Among other things, this gives
you /etc/init.d/cryptorand and /etc/init.d/skiserv. You probably want
to disable the skiserv script, but the cryptorand script is the one
that creates a fifo called /dev/random with a daemon connected to it.
Reading from /dev/random after saying "/etc/init.d/cryptorand start"
gets apparently random data.

Does anybody know how to tell if this is "good" random data? I know
less than nothing about cryptography and am not sure how to judge
this versus egd.pl.

Paul Allen
--
Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964
Unix Technical Support | paul.l.allen@boeing.com
Boeing Phantom Works Math & Computing Technology Site Operations,
POB 3707 M/S 7L-68, Seattle, WA 98124-2207

> On Wed, Mar 29, 2000 at 02:45:18PM +1000, Damien Miller wrote:
> If you can find a URL from which the package can be downloaded I
> would love to include it in the docs.

SUNWski is packed in with the SSL-version of the Sun WebServer.
It might also come as a larger collection of servers like Netra J.
Lastly, it's in patches for the Webserver, such as 105710, 106754,
106755 and 106756. Those patches are only reachable to contract
customers, so if you have a contract you're in good shape. Else,
call up your local Sun office and ask.

Hope this info helps,

-Robb

--
- Robert S. Dubinski, Comp. Systems Tech for MSCS Dept, Marquette University -
- Email me: tech@mscs.mu.edu Home page at: http://www.mscs.mu.edu/~tech -
- I can use GPG-encrypted email. My 1024-bit public key is at my website -
- GPG Key fingerprint = 6612 1A01 7A93 D79B 4C89 336E 592B DB76 61FB C156 -