--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
hi guys,
On Thu, Feb 23, 2006 at 09:21:16PM +0100, Gerhard Lausser wrote:
> Ethan, you applied my nrpe-2.3-allow_weak_random_seed patch to the 2.4
> branch. Would you be so kind and add another line, which came to my mind
> later? The results of the rand() calls in the last fallback might be
> predictable, so seeding with the current time is necessary.
> It's just a "srand(time(NULL));" after the syslog call. I attached a patch
> file for the 1.42
i'd like to advise against this, and maybe comment on a bit
more on the use of random bits in nrpe. =20
srand should really only be called once, and with a value that is as
unpredictable as possible. instead of calling srand(time(NULL)), i
might suggest something like the following:
seed=3D(int)time(NULL)*311-getpid()*359+getppid()*383;
which makes remote attacks on the prng more or less impossible, and local
ones difficult at best. i'm not sure why you would need to call it
multiple times.
also, nrpe currently reads a random byte from /dev/urandom for seeding
it the first time. i'd like to point out that this means that the prng
is seeded with a value that is strictly between 0 and 255 inclusive.
that's not a very large search space for someone trying to crack
something.
it also drains precious entropy from the system by reading from the
random device. for both of these reasons this code has been
patched out of the code in debian and replaced with something like
the above example. i would suggest that you do something similar.
if you really want to keep a "random byte" in the seed, i suppose
it would be best to include it in the above example, perhaps
replacing one of the prime numbers. however, i'm not convinced
that it gets you much.
sean
--wac7ysb48OaltWcw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD/q+yynjLPm522B0RAnTxAJ4nyqxztmG6B0nGFQCwuv8lZUctegCfazq2
upH7a5dexXATIXM8fNcsWb0=
=kCW2
-----END PGP SIGNATURE-----
--wac7ysb48OaltWcw--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]