From owner-freebsd-questions@FreeBSD.ORG Mon Jan 8 20:41:39 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E6C6916A403 for ; Mon, 8 Jan 2007 20:41:39 +0000 (UTC) (envelope-from youshi10@u.washington.edu) Received: from mxout2.cac.washington.edu (mxout2.cac.washington.edu [140.142.33.4]) by mx1.freebsd.org (Postfix) with ESMTP id C417113C45A for ; Mon, 8 Jan 2007 20:41:39 +0000 (UTC) (envelope-from youshi10@u.washington.edu) Received: from smtp.washington.edu (smtp.washington.edu [140.142.32.139]) by mxout2.cac.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP id l08KfdFN028770 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 8 Jan 2007 12:41:39 -0800 X-Auth-Received: from [128.208.5.99] (nilakantha.cs.washington.edu [128.208.5.99]) (authenticated authid=youshi10) by smtp.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP id l08Kfdph017375 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 8 Jan 2007 12:41:39 -0800 Message-ID: <45A2AC83.4090506@u.washington.edu> Date: Mon, 08 Jan 2007 12:41:39 -0800 From: Garrett Cooper User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20070108175314.27ce391f@gumby.homeunix.com> <20070108183645.GF41724@dan.emsphone.com> <20070108191411.GG41724@dan.emsphone.com> <45A2A60F.3080500@u.washington.edu> In-Reply-To: <45A2A60F.3080500@u.washington.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-PMX-Version: 5.2.2.285561, Antispam-Engine: 2.5.0.283055, Antispam-Data: 2007.1.8.122933 X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='__CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __USER_AGENT 0' Subject: Re: pwgen's seeding looks insecure X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2007 20:41:40 -0000 Garrett Cooper wrote: > Dan Nelson wrote: >> In the last episode (Jan 08), Garrett Cooper said: >> >>> On Jan 8, 2007, at 10:36 AM, Dan Nelson wrote: >>> >>>> Even better: make RANDOM() call random() instead of rand(), and >>>> initialize the rng with srandomdev(). >>>> >>>> Another random password generator is in security/apg, and that one >>>> already uses /dev/random as a seed. >>>> >>> Not all architectures support random number generation though IIRC >>> and random number generation can be removed from the kernel, so I >>> think that the dev was playing it safe by using another, less random >>> seed source than /dev/random or /dev/urandom. >>> >> >> Luckily, if srandomdev() can't open /dev/random, it falls back to >> seeding with gettimeofday() (so more variability than just time()), >> getpid(), and some random data off the stack, so it's always safe to >> use. I just noticed that there's also a sranddev, so fixing pwgen is >> really as simple as replacing the srand() call with sranddev() > Interesting--I didn't know that. That sounds a lot better than > what's in place by a long shot and it would be nice to have that in > the program considering that random number generators are quite > ubiquitous in Unix nowadays. > I'll CC the project devs later on today with this thread then. > -Garrett Hmm.. it seems that the project hasn't been updated in eons (2001): . I'll still try to get a hold of the dev, but I'm not sure if they are still administering the project. -Garrett