PRNGD

 

Overview:

The Pseudo Random Number Generator Daemon is an EGD compatible interface that can be used as an entropy source for OpenSSL-based packages such as mod_ssl, ssh, and scp.

 

Configuring

  1. Download the source code version or the binary version.

  2. If you downloaded the source code version, tweak Makefile and config.h, and then compile the a /usr/local/sbin/prngd binary.

    The Makefile tweaks for a Sun Solaris 8 box could include changing the CC flag from cc to gcc, and uncommenting some Solaris specific flags:

    # Solaris 7 or 8
    # CC=cc
    # CFLAGS=-xO4 -KPIC -DSOLARIS
    CC=gcc
    CFLAGS=-O -DSOLARIS
    SYSLIBS=-lsocket -lnsl

  3. Generate an /etc/prngd.conf and add commands to gather entropy. Samples can be found under ../contrib/operating_system

  4. Generate an initial seed. This step is only relevant before the first start.

    You can start prngd without an initial seed and it will collect entropy. Supplying initial seed speeds up the process.

    If you have installed a real EGD, you can run:

    egc.pl /var/run/egd-pool read 255 > /etc/prngd-seed

    or, you can cat some logfiles together

    cat /var/adm/syslog/mail.log /var/adm/syslog/syslog.log > /etc/prngd-seed

  5. Start prngd:

    /usr/local/sbin/prngd /var/run/egd-pool

/var/run/egd-pool is a socket. If there is already an unused socket of that name, it will be removed automatically in order to put the new one.

prngd needs 'write' permission in the directory within which the socket file-descriptor must be written. You can specify more than one socket, prngd will server all sockets simultaneously from the same pool but (of course) will generate other random bytes for each and every call.

PRNG in the OpenSSL library will automatically query an egd-socket located at any of the following locations:

/var/run/egd-pool
/dev/egd-pool
/etc/egd-pool

 

Configuring Ports

PRNGD supports both UNIX sockets, as shown in the example, as well as TCP sockets (localhost only). There is no port number registered, so pick a free port on your system, e.g. 708 when running with root permissions and you want to offer it as a system service, or 4840 without root permissions.

To have PRNGD listen on both the Unix socket and TCP do

prngd   options   /var/run/egd-pool   tcp/localhost:708   tcp/localhost:4840

Configure the TCP ports in /etc/services; 

 prngd		708/tcp		# prngd/EGD system service
 prngd-user	4840/tcp	# prngd/EGD user service

To verify the TCP port numbers run:

egc.pl localhost:prngd get

 

Testing

To derive the amount entropy in the PRNG pool:

egc.pl /var/run/egd-pool get

To obtain some random data for test

egc.pl /var/run/egd-pool read 255

 

Stopping

To shut down PRNGD cleanly, allowing it to save random data back to the seed file, execute:

prngd --kill /var/run/egd-pool