From 91d3b39c039d57143eb3c88e8b2e615e8791f8d1 Mon Sep 17 00:00:00 2001 From: Jan F Date: Mar 28 2011 14:19:03 +0000 Subject: improve reseeding and seed source (cocumentation) --- diff --git a/openssh-5.8p1-keycat.patch b/openssh-5.8p1-keycat.patch index 67545e5..9ab083c 100644 --- a/openssh-5.8p1-keycat.patch +++ b/openssh-5.8p1-keycat.patch @@ -25,7 +25,7 @@ diff -up openssh-5.8p1/HOWTO.ssh-keycat.keycat openssh-5.8p1/HOWTO.ssh-keycat +polyinstantiation of home directories and SELinux MLS policy enabled. + +To use ssh-keycat, set these options in /etc/ssh/sshd_config file: -+ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-keycat" ++ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat + AuthorizedKeysCommandRunAs root + +Do not forget to enable public key authentication: diff --git a/openssh-5.8p1-reseed.patch b/openssh-5.8p1-reseed.patch deleted file mode 100644 index bfaa3c7..0000000 --- a/openssh-5.8p1-reseed.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up openssh-5.8p1/sshd.c.reseed openssh-5.8p1/sshd.c ---- openssh-5.8p1/sshd.c.reseed 2011-03-16 15:48:47.870648161 +0100 -+++ openssh-5.8p1/sshd.c 2011-03-16 18:55:52.998648933 +0100 -@@ -225,6 +225,8 @@ static volatile sig_atomic_t key_do_rege - static volatile sig_atomic_t received_sighup = 0; - static volatile sig_atomic_t received_sigterm = 0; - -+static volatile int need_reseed = 0; -+ - /* session identifier, used by RSA-auth */ - u_char session_id[16]; - -@@ -396,6 +398,9 @@ generate_ephemeral_server_key(void) - arc4random_stir(); - } - -+/* -+ * Signal handler for the alarm in the accept loop. -+ */ - /*ARGSUSED*/ - static void - key_regeneration_alarm(int sig) -@@ -405,6 +410,7 @@ key_regeneration_alarm(int sig) - signal(SIGALRM, SIG_DFL); - errno = save_errno; - key_do_regen = 1; -+ need_reseed = 1; - } - - static void -@@ -1277,6 +1285,13 @@ server_accept_loop(int *sock_in, int *so - * the child process the connection. The - * parent continues listening. - */ -+ if (need_reseed) { -+ seed_rng(); -+ logit("random reseeded"); -+ need_reseed = 0; -+ signal(SIGALRM, key_regeneration_alarm); -+ alarm(options.key_regeneration_time); -+ } - platform_pre_fork(); - if ((pid = fork()) == 0) { - /* -@@ -1836,6 +1852,8 @@ main(int ac, char **av) - signal(SIGCHLD, main_sigchld_handler); - signal(SIGTERM, sigterm_handler); - signal(SIGQUIT, sigterm_handler); -+ signal(SIGALRM, key_regeneration_alarm); -+ alarm(options.key_regeneration_time); - - /* - * Write out the pid file after the sigterm handler diff --git a/openssh-5.8p1-reseed2.patch b/openssh-5.8p1-reseed2.patch deleted file mode 100644 index 5b5d53c..0000000 --- a/openssh-5.8p1-reseed2.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up openssh-5.8p1/sshd_config.5.reseed2 openssh-5.8p1/sshd_config.5 ---- openssh-5.8p1/sshd_config.5.reseed2 2011-03-27 19:51:00.881648385 +0200 -+++ openssh-5.8p1/sshd_config.5 2011-03-27 20:01:31.608759007 +0200 -@@ -618,7 +618,10 @@ The default is - .Dq diffie-hellman-group14-sha1 , - .Dq diffie-hellman-group1-sha1 . - .It Cm KeyRegenerationInterval --In protocol version 1, the ephemeral server key is automatically regenerated -+The time interval between the OpenSSL random generator reseedings. The generator is reseeded -+to prevent the possibility of estimation the next random values. The rancom generator -+is not reseeded in the case, that there are no connections. -+Additionally in protocol version 1, the ephemeral server key is automatically regenerated - after this many seconds (if it has been used). - The purpose of regeneration is to prevent - decrypting captured sessions by later breaking into the machine and diff --git a/openssh.spec b/openssh.spec index cc0621a..d77abc9 100644 --- a/openssh.spec +++ b/openssh.spec @@ -115,9 +115,6 @@ Patch104: openssh-5.8p1-audit4a.patch Patch5: openssh-5.8p1-audit5.patch Patch105: openssh-5.8p1-audit5a.patch #? -Patch6: openssh-5.8p1-reseed.patch -Patch106: openssh-5.8p1-reseed2.patch -#? Patch7: openssh-5.8p1-entropy.patch Patch107: openssh-5.8p1-entropy2.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) @@ -340,8 +337,6 @@ The module is most useful for su and sudo service stacks. %patch104 -p1 -b .audit4a %patch5 -p1 -b .audit5 %patch105 -p1 -b .audit5a -%patch6 -p1 -b .reseed -%patch106 -p1 -b .reseed2 %patch7 -p1 -b .entropy %patch107 -p1 -b .entropy2 %patch9 -p1 -b .vendor