[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: getppid misused as entropy source



On Tue, Mar 08, 2005 at 10:14:20PM +0100, Bruno Rohee wrote:
> 
> Well, I looked at the RADIUS RFC and your proposal is at least
> partially wrong. 
> 
> The field in the RADIUS request that you proposed to randomize
> is defined as NAS-Port in RFC 2865 and is used to specify which
> port of the device the login requester connect to. One can then
> limit login in his RADIUS configuration to something like people
> connecting only via the modem plugged on the second serial port
> (which number is returned by the ttyslot() code). Your proposed
> change just break that feature for no good reasons.

Oh, I see it now: I saw "auth_port" and immediately thought about
TCP/UDP port, thus I thought ttyslot() was nonsensical, because I
thought the code was just trying to supply a random value. Dumb me,
sorry for the noise.

> But it was not at all a case a getppid() used as a source of entropy
> as you thought.

Thanks for such an elaborate response for my proposal. It turns out I
have to remember to do my homework better next time I go change code.

Thanks also to all who answered privately and pointed out my mistakes.

Kind regards,
Fabio Olive

-- 
I drowned in the universal pool of entropy
Eris has saved me, and she has set me free