Bug 19756 - possible key generation problem
possible key generation problem
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Depends On:
  Show dependency treegraph
Reported: 2000-10-25 11:27 EDT by Need Real Name
Modified: 2007-04-18 12:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-02-02 11:07:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2000-10-25 11:27:58 EDT
There is a possible problem with ssh key generation.
After RedHat 7.0 is installed and the computer is rebooted 
then, during this first reboot ssh key is generated.

The problem is: Linux /dev/urandom random generator
is driven by keyboard and mouse events.
Network traffic and the other things do not affect the generator.
During the reboot usually no key pressed  or mouse moved
so the randomness, 
created during the reboot is probably too weak and can be easily guessed.

The solution I see is before ssh key generation ask user
to press some keys. Thus true random numbers will be generated
and the ssh private key will not be easily guessed as it is now.
Comment 1 Damien Miller 2000-10-25 19:14:07 EDT
My kernel picks up around 400 bytes of entropy during bootup prior to sshd
starting, measured by adding:

(sleep 5 ; killall dd) &
dd if=/dev/random of=/tmp/rand bs=1

to /etc/rc.d/init.d/sshd's start case.

Around 384 bytes are required in the worst case: generation of DSA host key
(which does a DSA parameter generation implicitly) and generation of an RSA key.
This is a little too close for comfort, but I think that you would have a hard
time creating a real attack out of it.

The problem could be mitigated somewhat if anaconda wrote a random seed to
/var/run/random-seed after the installation. The installer would pick up a lot
of entropy from all the disk and keyboard/mouse activity during install.

It might also be worthwhile increasing the size of the kernel entropy pool for
the 2.2 kernels (2.4 can do it through proc): 512 bytes just isn't enough,
especially if you are doing SSL or IPsec. linux/drivers/char/random.c supports
pools up to 8k.with a simple #define
Comment 2 Tomas Mraz 2005-02-02 11:07:59 EST
To ask user for key pressing on boot isn't a good idea. What about
unattended machines?

The real solution is to use true random HW generator in current
chipsets but this has nothing to do with openssh which simply uses
what the kernel provides.

So feel free to report enhancement requests against kernel.

Note You need to log in before you can comment on or make changes to this bug.