Someone recently recommended sysutils/pwgen for generating user passwords. Out of curiosity I had a look at how it works, and I don't like the look of its PRNG initialization:
#ifdef RAND48 srand48((time(0)<<9) ^ (getpgrp()<<15) ^ (getpid()) ^ (time(0)>>11)); #else srand(time(0) ^ (getpgrp() << 8) + getpid()); #endif If pwgen is called from an account creation script, time(0) can be inferred from timestamps, e.g. on a home-directory, so that just leaves getpid() and getpgrp(). PIDs are allocated sequentially and globally, so getpid() is highly predictable. I don't know much about getpgrp(), but from the manpage it doesn't appear to be any better. Unless getpgrp() is a better source of entropy than I give it credit for, I think this port should perhaps be marked as vulnerable. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
