[cryptography] Duplicate primes in lots of RSA moduli

Jeffrey I. Schiller jis at qyv.net
Sat Feb 18 12:57:30 EST 2012

Hash: SHA1

On 02/18/2012 12:04 PM, Jon Callas wrote:
> It was (2), they didn't wait.

Actually they just did what a lot of linux distros do. If during boot
the ssh host key isn't found, they call ssh-keygen to create it. Chance
are when that happens it is the very first boot of a new out-of-the-box
system. This would be a low-entropy time.

The problem is that ssh-keygen uses /dev/urandom and it should really
use /dev/random. I suspect that once upon a time it may have (I don't
have the history off hand) and someone got annoyed when it blocked and
"solved" the problem.

A Crypto Person: Hmm. ssh-keygen is blocking, we should figure out how
to get enough randomness before we call ssh-keygen.

An Engineer (or network person): Hmm. ssh-keygen is blocking. Oh, it is
using /dev/random. Let's just change it to /dev/urandom and go to lunch.
(sorry for being snide! :-) )

One of the problems with having ssh-keygen block is that once it has
blocked during system boot, there isn't much opportunity to gather more
entropy, so the symptoms to the end-user is a hung system.

Perhaps ssh-keygen should use /dev/random but open it for non blocking
I/O. If ssh-keygen then gets an EAGAIN (or EWOULDBLOCK) error from
/dev/random it should exit with an appropriate code. System boot could
then background the key generation piece and continue with the system
boot. Of course you wouldn't be able to remotely login until the
background process eventually succeeds in calling ssh-keygen (meaning
that finally enough entropy was gathered to avoid the blocking of


- -- 
Jeffrey I. Schiller
MIT Technologist, Consultant, and Cavy Breeder
Cambridge, MA 02139-4307
617.910.0259 - Voice
jis at qyv.net
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the cryptography mailing list