mirror of
https://github.com/clearml/dropbear
synced 2025-03-03 18:52:00 +00:00
Just use /dev/urandom since that's what everyone ends up using anyway.
Make -u a nop. --HG-- extra : convert_revision : ef0615311b43c8bfe1985df64a4a95ce4ec0d8e6
This commit is contained in:
Matt Johnston
parent
456b500902
commit
b04e2d14ef
@ -29,7 +29,6 @@
|
|||||||
#include "dbutil.h"
|
#include "dbutil.h"
|
||||||
#include "algo.h"
|
#include "algo.h"
|
||||||
#include "tcpfwd.h"
|
#include "tcpfwd.h"
|
||||||
#include "random.h"
|
|
||||||
|
|
||||||
cli_runopts cli_opts; /* GLOBAL */
|
cli_runopts cli_opts; /* GLOBAL */
|
||||||
|
|
||||||
@ -54,7 +53,6 @@ static void printhelp() {
|
|||||||
"-N Don't run a remote command\n"
|
"-N Don't run a remote command\n"
|
||||||
"-f Run in background after auth\n"
|
"-f Run in background after auth\n"
|
||||||
"-y Always accept remote host key if unknown\n"
|
"-y Always accept remote host key if unknown\n"
|
||||||
"-u Use /dev/urandom - use with caution\n"
|
|
||||||
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
#ifdef ENABLE_CLI_PUBKEY_AUTH
|
||||||
"-i <identityfile> (multiple allowed)\n"
|
"-i <identityfile> (multiple allowed)\n"
|
||||||
#endif
|
#endif
|
||||||
@ -88,7 +86,6 @@ void cli_getopts(int argc, char ** argv) {
|
|||||||
char* dummy = NULL; /* Not used for anything real */
|
char* dummy = NULL; /* Not used for anything real */
|
||||||
|
|
||||||
/* see printhelp() for options */
|
/* see printhelp() for options */
|
||||||
opts.listen_fwd_all = 0;
|
|
||||||
cli_opts.progname = argv[0];
|
cli_opts.progname = argv[0];
|
||||||
cli_opts.remotehost = NULL;
|
cli_opts.remotehost = NULL;
|
||||||
cli_opts.remoteport = NULL;
|
cli_opts.remoteport = NULL;
|
||||||
@ -103,6 +100,7 @@ void cli_getopts(int argc, char ** argv) {
|
|||||||
#endif
|
#endif
|
||||||
#ifdef ENABLE_CLI_LOCALTCPFWD
|
#ifdef ENABLE_CLI_LOCALTCPFWD
|
||||||
cli_opts.localfwds = NULL;
|
cli_opts.localfwds = NULL;
|
||||||
|
opts.listen_fwd_all = 0;
|
||||||
#endif
|
#endif
|
||||||
#ifdef ENABLE_CLI_REMOTETCPFWD
|
#ifdef ENABLE_CLI_REMOTETCPFWD
|
||||||
cli_opts.remotefwds = NULL;
|
cli_opts.remotefwds = NULL;
|
||||||
@ -201,7 +199,7 @@ void cli_getopts(int argc, char ** argv) {
|
|||||||
exit(EXIT_SUCCESS);
|
exit(EXIT_SUCCESS);
|
||||||
break;
|
break;
|
||||||
case 'u':
|
case 'u':
|
||||||
random_dev = DROPBEAR_URANDOM_DEV;
|
/* backwards compatibility with old urandom option */
|
||||||
break;
|
break;
|
||||||
#ifdef DEBUG_TRACE
|
#ifdef DEBUG_TRACE
|
||||||
case 'v':
|
case 'v':
|
||||||
|
|||||||
@ -74,9 +74,6 @@ by the ssh server.
|
|||||||
.B \-y
|
.B \-y
|
||||||
Always accept hostkeys if they are unknown. If a hostkey mismatch occurs the
|
Always accept hostkeys if they are unknown. If a hostkey mismatch occurs the
|
||||||
connection will abort as normal.
|
connection will abort as normal.
|
||||||
.B \-u
|
|
||||||
Use /dev/urandom rather than /dev/random. This should only be used if the
|
|
||||||
/dev/urandom device is known to have sufficient entropy.
|
|
||||||
.SH AUTHOR
|
.SH AUTHOR
|
||||||
Matt Johnston (matt@ucc.asn.au).
|
Matt Johnston (matt@ucc.asn.au).
|
||||||
.br
|
.br
|
||||||
|
|||||||
@ -82,9 +82,6 @@ default is /var/run/dropbear.pid
|
|||||||
.TP
|
.TP
|
||||||
.B \-a
|
.B \-a
|
||||||
Allow remote hosts to connect to forwarded ports.
|
Allow remote hosts to connect to forwarded ports.
|
||||||
.B \-u
|
|
||||||
Use /dev/urandom rather than /dev/random. This should only be used if the
|
|
||||||
/dev/urandom device is known to have sufficient entropy.
|
|
||||||
.SH AUTHOR
|
.SH AUTHOR
|
||||||
Matt Johnston (matt@ucc.asn.au).
|
Matt Johnston (matt@ucc.asn.au).
|
||||||
.br
|
.br
|
||||||
|
|||||||
13
options.h
13
options.h
@ -162,15 +162,10 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
|
|||||||
* The device will be queried for a few dozen bytes of seed a couple of times
|
* The device will be queried for a few dozen bytes of seed a couple of times
|
||||||
* per session (or more for very long-lived sessions). */
|
* per session (or more for very long-lived sessions). */
|
||||||
|
|
||||||
/* If you are lacking entropy on the system then using /dev/urandom
|
/* We'll use /dev/urandom by default, since /dev/random is too much hassle.
|
||||||
* will prevent Dropbear from blocking on the device. This could
|
* If system developers aren't keeping seeds between boots nor getting
|
||||||
* however significantly reduce the security of your ssh connections
|
* any entropy from somewhere it's their own fault. */
|
||||||
* if the PRNG state becomes guessable - make sure you know what you are
|
#define DROPBEAR_RANDOM_DEV "/dev/urandom"
|
||||||
* doing if you change this. */
|
|
||||||
#define DROPBEAR_RANDOM_DEV "/dev/random"
|
|
||||||
|
|
||||||
/* The -u flag on the commandline can also be used */
|
|
||||||
#define DROPBEAR_URANDOM_DEV "/dev/urandom"
|
|
||||||
|
|
||||||
/* prngd must be manually set up to produce output */
|
/* prngd must be manually set up to produce output */
|
||||||
/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
|
/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
|
||||||
|
|||||||
11
random.c
11
random.c
@ -27,13 +27,6 @@
|
|||||||
#include "dbutil.h"
|
#include "dbutil.h"
|
||||||
#include "bignum.h"
|
#include "bignum.h"
|
||||||
|
|
||||||
#ifdef DROPBEAR_RANDOM_DEV
|
|
||||||
const char* random_dev = DROPBEAR_RANDOM_DEV;
|
|
||||||
#else
|
|
||||||
const char* random_dev = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
static int donerandinit = 0;
|
static int donerandinit = 0;
|
||||||
|
|
||||||
/* this is used to generate unique output from the same hashpool */
|
/* this is used to generate unique output from the same hashpool */
|
||||||
@ -69,9 +62,9 @@ static void readrand(unsigned char* buf, unsigned int buflen) {
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef DROPBEAR_RANDOM_DEV
|
#ifdef DROPBEAR_RANDOM_DEV
|
||||||
readfd = open(random_dev, O_RDONLY);
|
readfd = open(DROPBEAR_RANDOM_DEV, O_RDONLY);
|
||||||
if (readfd < 0) {
|
if (readfd < 0) {
|
||||||
dropbear_exit("couldn't open %s", random_dev);
|
dropbear_exit("couldn't open random device");
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|||||||
2
random.h
2
random.h
@ -33,6 +33,4 @@ void genrandom(unsigned char* buf, int len);
|
|||||||
void addrandom(unsigned char* buf, int len);
|
void addrandom(unsigned char* buf, int len);
|
||||||
void gen_random_mpint(mp_int *max, mp_int *rand);
|
void gen_random_mpint(mp_int *max, mp_int *rand);
|
||||||
|
|
||||||
extern const char * random_dev;
|
|
||||||
|
|
||||||
#endif /* _RANDOM_H_ */
|
#endif /* _RANDOM_H_ */
|
||||||
|
|||||||
@ -28,7 +28,6 @@
|
|||||||
#include "buffer.h"
|
#include "buffer.h"
|
||||||
#include "dbutil.h"
|
#include "dbutil.h"
|
||||||
#include "algo.h"
|
#include "algo.h"
|
||||||
#include "random.h"
|
|
||||||
|
|
||||||
svr_runopts svr_opts; /* GLOBAL */
|
svr_runopts svr_opts; /* GLOBAL */
|
||||||
|
|
||||||
@ -81,7 +80,6 @@ static void printhelp(const char * progname) {
|
|||||||
#ifdef INETD_MODE
|
#ifdef INETD_MODE
|
||||||
"-i Start for inetd\n"
|
"-i Start for inetd\n"
|
||||||
#endif
|
#endif
|
||||||
"-u Use /dev/urandom - use with caution\n"
|
|
||||||
#ifdef DEBUG_TRACE
|
#ifdef DEBUG_TRACE
|
||||||
"-v verbose\n"
|
"-v verbose\n"
|
||||||
#endif
|
#endif
|
||||||
@ -219,7 +217,7 @@ void svr_getopts(int argc, char ** argv) {
|
|||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
break;
|
break;
|
||||||
case 'u':
|
case 'u':
|
||||||
random_dev = DROPBEAR_URANDOM_DEV;
|
/* backwards compatibility with old urandom option */
|
||||||
break;
|
break;
|
||||||
#ifdef DEBUG_TRACE
|
#ifdef DEBUG_TRACE
|
||||||
case 'v':
|
case 'v':
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user