Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 19 Sep 2003 03:28:31 +0200
From:      "Devon H. O'Dell" <dodell@sitetronics.com>
To:        freebsd-security@freebsd.org
Subject:   [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh]
Message-ID:  <3F6A5BBF.3020102@sitetronics.com>

next in thread | raw e-mail | index | archive | help
Roger Marquis wrote:

> [snip]
>
>It takes all of 2 seconds to generate a ssh 2 new session on a
>500Mhz cpu (causing less than 20% utilization).  Considering that
>99% of even the most heavily loaded servers have more than enough
>cpu for this task I don't really see it as an issue.
>
>Also, by generating a different key for each session you get better
>entropy, which makes for better encryption, especially when you
>consider that the keys for one session are useless when attempting
>to decrypt other sessions.  For this reason alone it's better to
>run sshd out of inetd.
>
>  
>
>>I think running sshd out of inetd is a very bad idea indeed, unless
>>Mr Marquis is willing to stay in my datacenter and hammer the keys like
>>a monkey all day, but even then that might be a poor source of entropy.
>>    
>>
>
>I've been using inetd+ssh since 1995, in dozens of data centers,
>across hundreds of hosts, and millions of sessions without a single
>problem.  I wonder what Bruce Schneier would think of Mr. Simpson's
>understanding of cryptography?
>
If I'm not mistaken, /dev/random is a pseudo-random generator, which 
means it has a certain period before it begins to repeat numbers (along 
with that it just isn't truly random). So, please correct me if I'm 
wrong, but doesn't this mean that when reading from /dev/random, you're 
'losing' randomness/entropy/whatever you're calling it?

On a related note, the manpage entry for sshd states:
    -i      Specifies that sshd is being run from inetd.  sshd is normally
            not run from inetd because it needs to generate the server key
            before it can respond to the client, and this may take tens of
            seconds.  Clients would have to wait too long if the key was re-
            generated every time.  However, with small key sizes (e.g., 512)
            using sshd from inetd may be feasible.

This is apparently the 'official' reason for not using it within inetd. 
What are current times on servers running at 1GHz or whatever's standard 
for 1Us these days. What are feasible key sizes at the moment? I do not 
run sshd from inetd and have thus never had said speed issues.

But really, please lose the sarcasm.

--Devon





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F6A5BBF.3020102>