Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
OpenSSH ssh-keygen on Solaris8 x86
patrick at whetstonelogic
Apr 29, 2000, 4:17 PM
Post #1 of 4 (660 views)
Permalink
I'm having a bit of trouble generating a host key on an x86 Solaris 8
system.
I've gotten the following built and installed:
egd-0.7
openssl-0.9.5a
openssh-1.2.3

My perl version is 5.005_03.

egd is running, and tests fine the egd "make test" and with:
#./egd.pl /etc/entropy get
22 sources found
forking into background...
server starting

But when I go to "make host-key", it just sits there. Tracking it down,
the place it stops is in random.c (line 99):

c = atomicio(write, random_pool, egd_message,
sizeof(egd_message));
if (c == -1)
fatal("Couldn't write to EGD socket \"%s\": %s",
RANDOM_POOL, st
rerror(errno));

c = atomicio(read, random_pool, buf, len); <--------- HERE

It's this last line it never completes (line 99)

I noticed from the list archives that egd-0.7 is fairly new. There was
some talk on 4/20 about a similar problem ( John Weaver & Brian
Carrier), but I don't see any conclusion.

Any thoughts?

Patrick
----------
Patrick Gardella patrick@whetstonelogic.com
VP-Technology patrick@freebsd.org
Whetstone Logic, Inc. This space intentionally left blank.
Re: OpenSSH ssh-keygen on Solaris8 x86 [ In reply to ]
carrier at cs
Apr 29, 2000, 1:24 PM
Post #2 of 4 (648 views)
Permalink
Patrick,
I haven't actually used OpenSSH with EGD, but I've been using EGD for some
research and have had 0.7 running on Solaris. The only thing I can recommend
is to run the client program:

# eg/egc.pl /etc/entropy get
and
# eg/egc.pl /etc/entropy readb 256

The first tells you how much entropy EGD has collected and the second
does a blocking read (equivalent to the statement in random.c). You can
also run egd with --debug-client and it will display info on the requests
it gets, so it will tell you when you run 'make host-key' if there is enough
entropy for your request. If the readb command returns data, then I would
assume the problem is somewhere in OpenSSH. If it doesn't return data, then
EGD is not collecting any entropy from the system commands. At that point,
you can do a --debug-gather in egd.pl and it will display when the system
commands return and with how much entropy.

I don't believe 'make test' does much except test the SHA installation.

hope this helps,
brian


On Sat, Apr 29, 2000 at 08:17:59PM -0400, Patrick Gardella wrote:
> I'm having a bit of trouble generating a host key on an x86 Solaris 8
> system.
> I've gotten the following built and installed:
> egd-0.7
> openssl-0.9.5a
> openssh-1.2.3
>
> My perl version is 5.005_03.
>
> egd is running, and tests fine the egd "make test" and with:
> #./egd.pl /etc/entropy get
> 22 sources found
> forking into background...
> server starting
>
> But when I go to "make host-key", it just sits there. Tracking it down,
> the place it stops is in random.c (line 99):
>
> c = atomicio(write, random_pool, egd_message,
> sizeof(egd_message));
> if (c == -1)
> fatal("Couldn't write to EGD socket \"%s\": %s",
> RANDOM_POOL, st
> rerror(errno));
>
> c = atomicio(read, random_pool, buf, len); <--------- HERE
>
> It's this last line it never completes (line 99)
>
> I noticed from the list archives that egd-0.7 is fairly new. There was
> some talk on 4/20 about a similar problem ( John Weaver & Brian
> Carrier), but I don't see any conclusion.
>
> Any thoughts?
>
> Patrick
> ----------
> Patrick Gardella patrick@whetstonelogic.com
> VP-Technology patrick@freebsd.org
> Whetstone Logic, Inc. This space intentionally left blank.
Re: OpenSSH ssh-keygen on Solaris8 x86 [ In reply to ]
patrick at whetstonelogic
Apr 30, 2000, 10:31 AM
Post #3 of 4 (671 views)
Permalink
(I've cc'd in Brian Warner, author of egd)

Based on what you sent me, the problem is with egd, and not with
OpenSSH, as suspected.

Running egd in --debug-gather mode, it runs out of sources for entropy,
initially finding 22, but one by one eliminating them. Then it loops:

ran out of sources
waiting for a source to become usable again
Use of uninitialized value at ./egd.pl line 647.
next available is in -957118987

Line 647 is:
print STDERR " next available is in ",
($next_available - time()),"\n" if $debug_gather;

It doesn't appear to try to spawn any more sources after that.

I'll dig into egd this afternoon, and try to come up with a fix for it.

Patrick

Brian Carrier wrote:
>
> Patrick,
> I haven't actually used OpenSSH with EGD, but I've been using EGD for some
> research and have had 0.7 running on Solaris. The only thing I can recommend
> is to run the client program:
>
> # eg/egc.pl /etc/entropy get
> and
> # eg/egc.pl /etc/entropy readb 256
>
> The first tells you how much entropy EGD has collected and the second
> does a blocking read (equivalent to the statement in random.c). You can
> also run egd with --debug-client and it will display info on the requests
> it gets, so it will tell you when you run 'make host-key' if there is enough
> entropy for your request. If the readb command returns data, then I would
> assume the problem is somewhere in OpenSSH. If it doesn't return data, then
> EGD is not collecting any entropy from the system commands. At that point,
> you can do a --debug-gather in egd.pl and it will display when the system
> commands return and with how much entropy.
>
> I don't believe 'make test' does much except test the SHA installation.
>
> hope this helps,
> brian
>
> On Sat, Apr 29, 2000 at 08:17:59PM -0400, Patrick Gardella wrote:
> > I'm having a bit of trouble generating a host key on an x86 Solaris 8
> > system.
> > I've gotten the following built and installed:
> > egd-0.7
> > openssl-0.9.5a
> > openssh-1.2.3
> >
> > My perl version is 5.005_03.
> >
> > egd is running, and tests fine the egd "make test" and with:
> > #./egd.pl /etc/entropy get
> > 22 sources found
> > forking into background...
> > server starting
> >
> > But when I go to "make host-key", it just sits there. Tracking it down,
> > the place it stops is in random.c (line 99):
> >
> > c = atomicio(write, random_pool, egd_message,
> > sizeof(egd_message));
> > if (c == -1)
> > fatal("Couldn't write to EGD socket \"%s\": %s",
> > RANDOM_POOL, st
> > rerror(errno));
> >
> > c = atomicio(read, random_pool, buf, len); <--------- HERE
> >
> > It's this last line it never completes (line 99)
> >
> > I noticed from the list archives that egd-0.7 is fairly new. There was
> > some talk on 4/20 about a similar problem ( John Weaver & Brian
> > Carrier), but I don't see any conclusion.
> >
> > Any thoughts?


--
Patrick
----------
Patrick Gardella patrick@whetstonelogic.com
VP-Technology patrick@freebsd.org
Whetstone Logic, Inc. This space intentionally left blank.
Re: OpenSSH ssh-keygen on Solaris8 x86 [ In reply to ]
patrick at whetstonelogic
Apr 30, 2000, 8:43 PM
Post #4 of 4 (657 views)
Permalink
The patched version below does indeed work for what I've tried so far.

The only things I would suggest adding to the documentation for egd is a
slightly modified copy of your text for GPG. I'll send it to you in
another message.

Patrick

Brian Warner wrote:
>
> > Based on what you sent me, the problem is with egd, and not with
> > OpenSSH, as suspected.
>
> Yup. There's a bug in select() handling in egd-0.7 that is exposed on recent
> versions of Solaris (and possibly Irix). The symptom is the "ran out of
> sources" message. (in short, select()ing for readability and exception-ability
> will sometimes return both when an fd is at EOF, so you must try reading first
> before believing the exception).
>
> I've got a patched version of egd.pl up for test at
> <ftp://ftp.lothar.com/linux/egd.pl.1.46> that all are welcome to try. Feedback
> is most welcome. I'm especially interested in hearing about whether clients
> who terminate early (killed mid-transaction) cause the daemon to get confused,
> since that feels like the most likely bug that could result from shuffling
> those two blocks of code.
>
> BTW, if there is any openssh-specific documentation you'd like me to put into
> the egd docs, just let me know. Something like "How to use EGD with OpenSSH"
> to complement the GPG section. (I guess I should talk to the OpenSSL folks
> about the same thing..)
>
> > Brian Carrier wrote:
> > >
> > > I don't believe 'make test' does much except test the SHA installation.
>
> The 0.6 'make test' did only that. The test.pl in 0.7 actually starts the
> daemon does a few quick client commands to make sure it basically works. If it
> isn't doing that when you do 'make test', let me know.
>
> cheers,
> -Brian (warner)

--
Patrick
----------
Patrick Gardella patrick@whetstonelogic.com
VP-Technology patrick@freebsd.org
Whetstone Logic, Inc. This space intentionally left blank.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal