[Pkg-nagios-devel] Bug#660585: Bug#660585: [Secure-testing-team] Bug#660585: nagios-nrpe-server: again use secure RNG

[Alexander Wirt]

Christoph Anton Mitterer schrieb am Monday, den 20. February 2012:

> On Mon, 2012-02-20 at 11:58 +0100, Nico Golde wrote:
> > I'm not sure if I can agree with you here. The fact that before the patch the 
> > code was using urandom doesn't necessarily make it more secure. Actually 
> > looking at the patch, the code was using a one character seed (0..255) as a 
> > random seed before. Please see 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333552
> 
> Well...
> a) SSL is broken in NRPE anyway... so I rather consider this at the
> moment a "conceptual" issue than a technical.
> 
> b) I doubt that a (probably predictable - that may be even a multi-user
> system) number made out of PID/PPID/date is more secure than a (for the
> real world) quite secure /dev/urandom .
> 
> c) I'm not an in-dept crypto expert, but if that 8 bit of entropy are
> not enough for SSLs initial PRNG seed, than a patch that reads just a
> bit more would have been the obvious; right?
> 
> d) The argument in that bug is imho not very strong,...
> draining /dev/urandom by reading just one byte is difficult (of course
> if you have thousands of concurrent NRPEs things look different).
> But I guess the right solution would have been to just disable the
> broken ssl support per default?
> To the uneducated user it gives just a wrong sense of security, while in
> reality it helps nothing at all and costs just performance.
> 
> Anyway,... to some extent this strongly remembers me to the OpenSSL
> debacle...
> 
> Cheers,
> Chris.
> 
> btw: To the Nagios maintainers,... I know I've opened several bugs
> recently, some of which you closed/wontfix already,.. hope you don't
> consider this as getting on your nerves; my intention is just to imrove
> the packages :)
in fact you do. You are telling us mostly known things or just nonsense.

Alex