Date: Fri, 19 Sep 2003 09:37:10 +0200 From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh Message-ID: <xzp8yoltejd.fsf@dwp.des.no> In-Reply-To: <20030919005659.4B5A7DACBD@mx7.roble.com> (Roger Marquis's message of "Thu, 18 Sep 2003 17:56:59 -0700 (PDT)") References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> <20030919001951.GD2720@saboteur.dek.spc.org> <20030919005659.4B5A7DACBD@mx7.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Roger Marquis <marquis@roble.com> writes: > Bruce M Simpson wrote: > > When you run out of inetd to service a single connection, you have to > > generate a new ephemeral key for every ssh instance. This is a needless > > waste of precious entropy from /dev/random. > [...] > Also, by generating a different key for each session you get better > entropy, which makes for better encryption, especially when you > consider that the keys for one session are useless when attempting > to decrypt other sessions. For this reason alone it's better to > run sshd out of inetd. > [...] > I've been using inetd+ssh since 1995, in dozens of data centers, > across hundreds of hosts, and millions of sessions without a single > problem. I wonder what Bruce Schneier would think of Mr. Simpson's > understanding of cryptography? I think you're the one in need of a refresher course, as you obviously do not understand the meaning of the word "entropy" in the context of cryptographic-strength PRNGs. Entropy is a limited resource, and using more of it *reduces* rather than increases its quality. I don't suppose you have a thermal entropy generator in every single machine you administrate, do you? DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp8yoltejd.fsf>