On Fri, May 02, 2014 at 10:30:28PM +0000, Scott Neugroschl wrote: > > >NetBSD and FreeBSD (as of 10.0) both use a sysctl, just like OpenBSD. > > Linux also has an obscure sysctl which pulls directly from the internal > > CSPRNG. So all of these will work in a jail without /dev or /proc. > > >OS X still seeds itself from /dev/urandom in its arc4random > > implementation, as it inherited FreeBSD's old code. Solaris sadly only > > has /dev/urandom. > > And then there are those implementations that have to use PRNGD because > there's no built-in source of randomness. > That's basically equivalent to /dev/urandom from the code's perspective. The reason why /dev/urandom sucks is two-fold: 1) as already mentioned you can't access it inside a chroot jail (unless explicitly created, but then you can't mount with the nodev option), but also 2) you may have hit a file descriptor limit and can't even open it. Along those same lines: I don't understand why Linux, glibc & Co. are so gung-ho about the /proc filesystem. Some glibc routines depend on it. /proc proponents wave away the chroot jail problem because they seem to believe complex, global configuration files are somehow preferable. Whatever. They can keep their opinion. But there's no excusing the file descriptor limit issue. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev