On Jan 8, 2007, at 10:36 AM, Dan Nelson wrote:

In the last episode (Jan 08), RW said:
Someone recently recommended sysutils/pwgen for generating user
passwords.  Out of curiosity I had a look at how it works, and I
don't like the look of its PRNG initialization:

#ifdef RAND48
srand48((time(0)<<9) ^ (getpgrp()<<15) ^ (getpid()) ^ (time(0) >>11));
  srand(time(0) ^ (getpgrp() << 8) + getpid());

If pwgen is called from an account creation script, time(0) can be
inferred from timestamps, e.g. on a home-directory, so that just leaves getpid() and getpgrp(). PIDs are allocated sequentially and globally,
so getpid() is highly predictable. I don't know much about getpgrp(),
but from the manpage it doesn't appear to be any better.

Even better: make RANDOM() call random() instead of rand(), and
initialize the rng with srandomdev().

Another random password generator is in security/apg, and that one
already uses /dev/random as a seed.

        Dan Nelson

Not all architectures support random number generation though IIRC and random number generation can be removed from the kernel, so I think that the dev was playing it safe by using another, less random seed source than /dev/random or /dev/urandom.
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to