pwgen's seeding looks insecure
Garrett Cooper
youshi10 at u.washington.edu
Mon Jan 8 18:56:52 UTC 2007
On Jan 8, 2007, at 10:36 AM, Dan Nelson wrote:
> In the last episode (Jan 08), RW said:
>> Someone recently recommended sysutils/pwgen for generating user
>> passwords. Out of curiosity I had a look at how it works, and I
>> don't like the look of its PRNG initialization:
>>
>>
>> #ifdef RAND48
>> srand48((time(0)<<9) ^ (getpgrp()<<15) ^ (getpid()) ^ (time(0)
>> >>11));
>> #else
>> srand(time(0) ^ (getpgrp() << 8) + getpid());
>> #endif
>>
>> If pwgen is called from an account creation script, time(0) can be
>> inferred from timestamps, e.g. on a home-directory, so that just
>> leaves
>> getpid() and getpgrp(). PIDs are allocated sequentially and
>> globally,
>> so getpid() is highly predictable. I don't know much about getpgrp(),
>> but from the manpage it doesn't appear to be any better.
>
> Even better: make RANDOM() call random() instead of rand(), and
> initialize the rng with srandomdev().
>
> Another random password generator is in security/apg, and that one
> already uses /dev/random as a seed.
>
> --
> Dan Nelson
> dnelson at allantgroup.com
Not all architectures support random number generation though IIRC
and random number generation can be removed from the kernel, so I
think that the dev was playing it safe by using another, less random
seed source than /dev/random or /dev/urandom.
-Garrett
More information about the freebsd-questions
mailing list