FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
Dag-ErlingSmørgrav
des at des.no
Fri Sep 19 00:37:17 PDT 2003
Roger Marquis <marquis at roble.com> writes:
> Bruce M Simpson wrote:
> > When you run out of inetd to service a single connection, you have to
> > generate a new ephemeral key for every ssh instance. This is a needless
> > waste of precious entropy from /dev/random.
> [...]
> Also, by generating a different key for each session you get better
> entropy, which makes for better encryption, especially when you
> consider that the keys for one session are useless when attempting
> to decrypt other sessions. For this reason alone it's better to
> run sshd out of inetd.
> [...]
> I've been using inetd+ssh since 1995, in dozens of data centers,
> across hundreds of hosts, and millions of sessions without a single
> problem. I wonder what Bruce Schneier would think of Mr. Simpson's
> understanding of cryptography?
I think you're the one in need of a refresher course, as you obviously
do not understand the meaning of the word "entropy" in the context of
cryptographic-strength PRNGs. Entropy is a limited resource, and
using more of it *reduces* rather than increases its quality. I don't
suppose you have a thermal entropy generator in every single machine
you administrate, do you?
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list