From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 00:37:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB0D116A4B3 for ; Fri, 19 Sep 2003 00:37:16 -0700 (PDT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEC3943FDF for ; Fri, 19 Sep 2003 00:37:15 -0700 (PDT) (envelope-from des@des.no) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id 9402578B48; Fri, 19 Sep 2003 09:37:14 +0200 (MEST) Received: by smtp.des.no (Pony Express, from userid 666) id 5A61B99D4F; Fri, 19 Sep 2003 09:37:14 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id 6FCF899B49; Fri, 19 Sep 2003 09:37:10 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 365FBB84A; Fri, 19 Sep 2003 09:37:10 +0200 (CEST) To: Roger Marquis References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> <20030919001951.GD2720@saboteur.dek.spc.org> <20030919005659.4B5A7DACBD@mx7.roble.com> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Fri, 19 Sep 2003 09:37:10 +0200 In-Reply-To: <20030919005659.4B5A7DACBD@mx7.roble.com> (Roger Marquis's message of "Thu, 18 Sep 2003 17:56:59 -0700 (PDT)") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-3.0 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 07:37:17 -0000 Roger Marquis writes: > Bruce M Simpson wrote: > > When you run out of inetd to service a single connection, you have to > > generate a new ephemeral key for every ssh instance. This is a needless > > waste of precious entropy from /dev/random. > [...] > Also, by generating a different key for each session you get better > entropy, which makes for better encryption, especially when you > consider that the keys for one session are useless when attempting > to decrypt other sessions. For this reason alone it's better to > run sshd out of inetd. > [...] > I've been using inetd+ssh since 1995, in dozens of data centers, > across hundreds of hosts, and millions of sessions without a single > problem. I wonder what Bruce Schneier would think of Mr. Simpson's > understanding of cryptography? I think you're the one in need of a refresher course, as you obviously do not understand the meaning of the word "entropy" in the context of cryptographic-strength PRNGs. Entropy is a limited resource, and using more of it *reduces* rather than increases its quality. I don't suppose you have a thermal entropy generator in every single machine you administrate, do you? DES --=20 Dag-Erling Sm=F8rgrav - des@des.no