[paramiko] paramiko random number regression: Stop using RandomPool!
Robey Pointer
robey at lag.net
Sat Apr 12 15:06:27 PDT 2008
On 3 Apr 2008, at 15:12, Dwayne Litzenberger wrote:
>
> Revision #486 [1] (and therefore Paramiko 1.7.3) re-introduces the
> problems
> associated with PyCrypto's RandomPool class that I described in my
> post back
> in January. RandomPool is not a simple "get random bits" primitive,
> but
> paramiko is again using it as one.
Is there nothing Windows users can do? I added RandomPool as a
fallback because on my Windows XP box did not have the winrandom
module. Since I think XP will be the most widely used Windows release
for the forseeable future, this is really bad. :(
> This is a very serious bug for Windows users of Paramiko. As I
> mentioned in
> my January post, there is a longstanding bug in PyCrypto that causes
> the
> native "winrandom" module to not be built. As a result, the only
> way to get
> entropy from Windows is to use the os.urandom module (provided in
> Python 2.4
> and later). Unfortunately, when you merged my changes, you removed
> the call
> to os.urandom. This error would normally have been detected on
> systems
> lacking a winrandom module (i.e. all of them), but since you
> replaced the call
> to os.urandom with the instantiation of RandomPool, Paramiko's
> random number
> generator simply fails silently.
Actually I just moved the os.urandom code into our osrandom.py file,
so it should still use /dev/urandom in preference to anything else,
and will use winrandom if it can find that.
Is there anything at all we can do to keep things running on XP but
(relatively) secure?
robey
More information about the paramiko
mailing list