[Pkg-nagios-devel] Bug#660585: [Secure-testing-team] Bug#660585: nagios-nrpe-server: again use secure RNG

[Christoph Anton Mitterer]

On Mon, 2012-02-20 at 11:58 +0100, Nico Golde wrote:
> I'm not sure if I can agree with you here. The fact that before the patch the 
> code was using urandom doesn't necessarily make it more secure. Actually 
> looking at the patch, the code was using a one character seed (0..255) as a 
> random seed before. Please see 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333552

Well...
a) SSL is broken in NRPE anyway... so I rather consider this at the
moment a "conceptual" issue than a technical.

b) I doubt that a (probably predictable - that may be even a multi-user
system) number made out of PID/PPID/date is more secure than a (for the
real world) quite secure /dev/urandom .

c) I'm not an in-dept crypto expert, but if that 8 bit of entropy are
not enough for SSLs initial PRNG seed, than a patch that reads just a
bit more would have been the obvious; right?

d) The argument in that bug is imho not very strong,...
draining /dev/urandom by reading just one byte is difficult (of course
if you have thousands of concurrent NRPEs things look different).
But I guess the right solution would have been to just disable the
broken ssl support per default?
To the uneducated user it gives just a wrong sense of security, while in
reality it helps nothing at all and costs just performance.

Anyway,... to some extent this strongly remembers me to the OpenSSL
debacle...

Cheers,
Chris.

btw: To the Nagios maintainers,... I know I've opened several bugs
recently, some of which you closed/wontfix already,.. hope you don't
consider this as getting on your nerves; my intention is just to imrove
the packages :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20120220/2e41eeda/attachment.bin>