random message "PRNG is not seeded"

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've got a very stange behavior on an embedded system running a Linux
kernel 2.4.17 (I know it is quite old...). Previously openSSH 3.7.1p2
was installed and everything worked very well.
Now I just upgraded to version 3.9p1 and I observed that randomly ssh
connections to the system fail with error message : "PRNG is not
seeded". I said randomly because it doesn't happen each time you try to
connect to the system (no, too simple). In fact I realized there was a
problem because there is a script running on the system that performes
localhost connection to the system itself ('ssh account@localhost
cmde'), and it goes again and again. Frequency is around 2 connections
per second. And randomly one of those 120 connections per minute fail
with this message "PRNG is not seeded" and really I don't understand
what is happening !...
I saw in openSSH source code that error message comes from entropy.c
file consequence of bad return value from RAND_status function (openSSL
lib). I though problem could come because openSSL version was quite old
too (openSSL 0.9.7c) so I upgraded it to v. but no difference.
What I cannot understand is why most of the time connections are
successful and sometimes, randomly, one of them fails. Architecture is
pentium 4 based and nothing special is running on the system when tests
are performed...

Re: random message "PRNG is not seeded"

civodul.anonymous@laposte.net writes:

Quoted text here. Click to load it

On an embedded system there is in general very little "entropy : generated
by the system. No mouse, no keyboard, no hard drive. IF the system uses
just this entropy, and if the system does not stretch it out with a good
cryptographic pseudo random number generator, then you WILL run out.
All such systems should use /dev/urandom, but some people are idiots and
have them use /dev/random instead.

Why the hell would you be connecting to the system 2 per second. That just
sounds insane. Fix that problem and try not to exhaust the ability of the
system to generate randomness.

Quoted text here. Click to load it

That is probably part of th eproblem. NOt enough randomness generated by
the system.

Re: random message "PRNG is not seeded"

You can use the controlmaster/controlpath feature of OpenSSH to create a
single long-lived SSH session, and use multiple channels within that one
session session where you are using separate SSH connections now.  That
will address the depletion of the random bit source.

  Richard Silverman

Re: random message "PRNG is not seeded"

Quoted text here. Click to load it

This can happen any time OpenSSL can't provide enough entropy, but the
reason you're probably seeing it more often is that from version 3.9,
sshd re-execs itself after accepting each connection (this is because it
makes certain types of exploit harder on some systems).

A few things that you can try:

1) make sure you have a /dev/urandom and that it's the correct major,
minor and has the correct permissions:
$ ls -l /dev/urandom
cr--r--r--  1 root root 1, 9 May 24 03:48 /dev/urandom

You might want to check /dev/random too.

2) If you don't have those devices and are using ssh-rand-helper, then
try 4.3p2 instead of 3.9p2 (as the former passes the random seed to
the child during the re-exec, and thus sshd needs to reseed itself much
less frequently.

2) Try disabling the re-exec code (add the "-r" flag to sshd's command

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: random message "PRNG is not seeded"

Many thanks, your advises were very helpful to me.
Actually our system do have /dev/random and /dev/urandom devices
installed. In a previous release, we were running an old 2.4.1 linux
kernel and everything was ok, even with openSSH 3.9. It seems we broke
something in /dev/urandom in 2.4.17 (...).

Thanks and regards.

Darren Tucker acrit :

Quoted text here. Click to load it
et> wrote:
Quoted text here. Click to load it

Re: random message "PRNG is not seeded"

Quoted text here. Click to load it

Why aren't you updating to 2.4.20 or later? Even if you're using an old
retired RedHat release, the Fedora Legacy project has published 2.4.20.

Re: random message "PRNG is not seeded"

Nico Kadel-Garcia acrit :

Quoted text here. Click to load it

Just because everybody doesn't live in the happy world of "state of the
art" systems ...
When you design and maintain a system customized for a specific
hardware, sometimes you are facing cruel reality of cost development
and have to deal with ROI.

Site Timeline