Home Page

Distrust OS/2 OpenSSH OpenSSL; QPuTTY Dubious

July 16, 2022

Bitwise Works has generously ported OpenSSH and OpenSSL to OS/2. You get both if you use the Arca Noae package manager to install OpenSSH. This includes SCP. The OpenSSH and SCP clients are really useful utilities for maintaining OpenWRT and similar routers on your secure local network.

I have considerable distrust of these utilities for use over the open web. For that purpose, I have slighly less distrust of the OS/2 QPutty port by KO Myung-Hun.

Strong Distrust of OS/2 SSH

We know that OS/2 does not provide a standard source for the strong random data seed that's essential input to cryptographic random number generators. For such cases, OpenSSH and related clients are supposed to call ssh-rand-helper.exe. It is supposed to run the programs in %unixroot%\ssh\ssh_prng_cmds to get some random data. And it's supposed to store a random data seed in %home%\.ssh\prng-seed, so that entropy gets collected over time.

The Bitwise port does not even include the ssh-rand-helper. An earlier port by Nikk does include it. I ran it manually (ssh-rand-helper -vb 12 to get verbose output and request 12 bytes). I found that ssh_prng_cmds requires the pathname to each program and cannot have any blank lines even at the end, and that you need a lot, maybe 16. It wasn't clear that they actually ran, but it did create the prng-seed file. But after it was created, it could never update it. It seems it tries to rename a temporary copy to the seed file and that, of course fails once it already exists. The failure of this to work correctly may explain why so far as I can tell Nikk's ported clients don't use ssh-rand-helper and why Bitwise Works left it out completely.

But with no standard source of randomness or a working ssh-rand-helper system, what can they be using as a source of strong random data to seed the cryptographic random number generator?

This matters. In the 1990s, it was found that Netscape HTTPS could be broken in minutes remotely and seconds on the local machine. This was because they were seeding the cryptographic random number generator with the time of day, pid, and parent pid, and that wasn't anywhere near unpredictable enough (Goldberg and Wagner 1996).

Goldberg, Ian, and Wagner, David. 1996. Randomness and the Netscape Browser. Dr. Dobb's Journal. January.

Another indicator that there may be a serious problem is that OpenSSH normally requires LibCrypto (here crypto11.dll) from OpenSSL. Indeed, if you use the Arca Noae package manager to install OpenSSH, it will also install the purportedly necessary OpenSSL if you don't already have it.

There's just one problem. If you remove crypto11.dll, ssh and ssh-keygen run without error or warning in actual fact. They apparently aren't using LibCrypto at all. That would seem to be completely impossible, but evidently it's only almost completely impossible. They run without the DLL. It's kind of stunning. But then, I'm not a programmer.

At least with openssl, you can use -rand and -writerand arguments to work with a seed file, but no one ever does that, and this doesn't help you with ssh.

Moderate Distrust of OS/2 QPutty

The OS/2 QPutty poprt comes with the source code of the patches. One of those patches claims to implement OS/2 noise. That at least is evidence that attention was paid to the importance of collecting entropy. As a result, I have less distrust of this than I do of the OS/2 SSH port.

Still, my confidence was shaken when I found a 606 byte file %home%\.putty\randomseed that OS/2 tells me was created months ago, never updated, and not recently accessed. Suspecting PuTTY was not using it, I deleted the .putty directory. The program recreated it on saving default settings and/or server keys. But no randomseed was recreated. Yet PuTTY *requires* a random seed file to improve the unpredictability of random data needed as part of SSH cryptography (see the PuTTY FAQ).

The patches include provision for running pstat /a to collect entropy in at least some circumstances. But that program is never run in actual fact. That may not be significant; it may be a final fallback that's never reached. But in all honesty, it's not a good sign.

The bottom line is that I have marginally less mistrust for OS/2 PuTTY than SSH because the included source code patches indicate that creating a decent randomness source was at least attempted and calls for randomness weren't just commented out. But the lack of any random seed file in either environment does not inspire confidence of correct implementation.

Message in a Bottle

Long ago I unplugged from Internet newsgroups, mailing lists, forums, discussion boards, and the like. I never plugged into Facebook or Twitter either. And since I don't have their email addresses, I don't really have a way to provide feedback to the kind folks who ported these programs to OS/2. But I do have a website, and Bing, Google, and friends do index it. So I'm just going to post these observations and concerns, knowing that if anybody else ever searches on this topic, they'll find it. And then they can reach me, whether to debunk my concerns or help get them addressed.

📧 Send Comment Walt.Gregg.Juneau.AK.US/contact
🏡 Home Page Walt.Gregg.Juneau.AK.US
  Global Statistics   gs.statcounter.com