Mailing List Archive

On Sun, 19 Mar 2023 at 12:25, Nathan Wagner <nw@hydaspes.if.org> wrote:
> I'm trying to compile openssh with openssl 3.1 on a linux machine with
> kernel 4.15.10. I seem to get stuck at:
>
> configure: error: OpenSSH has no source of random numbers. Please
> configure OpenSSL with an entropy source or re-run configure using one
> of the --with-prngd-port or --with-prngd-socket options
>
> I haven't done anything special in configuring openssl. If I have read
> the configuration for openssl correctly, with will default to the 'os'
> source, which I think then is getrandom(2).

There's also the getentropy interface that was added glibc relatively recently.

Does the OpenSSL self-test ("make tests") pass? Does its basic RNG
function work (eg "openssl rand -base64 9")? And if "openssl rand"
doesn't work, if you strace it what is it trying to do?

> I think the check in openssh for this is a call to RAND_status(), which
> is apparently returning a failure.
>
> I can't compile without openssl, because I need to allow RSA keys.
>
> Any work arounds? Ideas follow.
>
> Compile openssh with /dev/urandom as the prngd-socket?

No, the prngd socket interface works differently to /dev/random.

> Edit the configure script to force a success where RAND_status()
> is called?

Probably not. When it's built with OpenSSL, it just defers to OpenSSL
for random seeding.

> Call whatever openssl needs to initialize the random seed somewhere
> early in openssh startup? It may already do this, I see calls to
> RAND_seed() in sshd.c.
>
> More generally, would it make sense (on linux at least) to use
> getrandom() if available, or /dev/urandom otherwise regardless
> of whether or not openssl is used?

Probably not. RNG seeding is surprisingly convoluted due to the
varying standards over time (see entropy.c,
openbsd-compat/arc4random.c and openbsd-compat/bsd-getentropy.c) which
is why when it's built with OpenSSL, it just defers to OpenSSL.

You might be able to get this to compile, but if the RNG seeding in
your OpenSSL build is broken I would be concerned about what else
might be broken in it, possibly in some subtle way. I would be
looking at fixing your OpenSSL.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sun, Mar 19, 2023 at 12:57:23PM +1100, Darren Tucker wrote:
> On Sun, 19 Mar 2023 at 12:25, Nathan Wagner <nw@hydaspes.if.org> wrote:

> Does the OpenSSL self-test ("make tests") pass? Does its basic RNG
> function work (eg "openssl rand -base64 9")? And if "openssl rand"
> doesn't work, if you strace it what is it trying to do?

make tests pass, and openssl rand -base64 9 produces output that looks
like base64.

> > Compile openssh with /dev/urandom as the prngd-socket?
>
> No, the prngd socket interface works differently to /dev/random.

Interesting. I compiled ssh to use /dev/urandom as the socket,
and it appears to work. Obviously there could be strange bugs.

> You might be able to get this to compile, but if the RNG seeding in
> your OpenSSL build is broken

I don't think it is. I think the openssh test isn't correct, at least
not for openssl 3.1. I did find a post to linuxquestions in 2014 that
had the same or similar problem. That obviously wasn't openssl 3.1.

> I would be concerned about what else might be broken in it, possibly
> in some subtle way. I would be looking at fixing your OpenSSL.

Any idea how? I think RAND_status() would need to be changed.

--
nw
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sun, 19 Mar 2023 at 14:07, Nathan Wagner <nw@hydaspes.if.org> wrote:
> On Sun, Mar 19, 2023 at 12:57:23PM +1100, Darren Tucker wrote:
[...]
> > No, the prngd socket interface works differently to /dev/random.
>
> Interesting. I compiled ssh to use /dev/urandom as the socket,
> and it appears to work. Obviously there could be strange bugs.

That is interesting. The prngd interface is "connect to Unix domain
socket, send a byte with the number of random bytes you want and read
that number of bytes back." I thought the connect(2) would fail, but
if can connect to a device node, the random device will ignore the
count byte and the final read should work OK.

[...]
> > I would be concerned about what else might be broken in it, possibly
> > in some subtle way. I would be looking at fixing your OpenSSL.
>
> Any idea how? I think RAND_status() would need to be changed.

Did the OpenSSH RAND_status test program fail at runtime, or did it
fail to compile for some reason? That should be in config.log.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev