The simplest way to verify if OpenSSH is using hardware support (/dev/random or /dev/urandom) to collect random numbers, is to start ssh in debug mode. . * If the debug statement shows "Seeding PRNG from /usr/lib/ssh/ssh-rand-helper", then the software algorithm ssh-rand-helper was used. . Example: > ssh -vvv user@host OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper . . * If the debug statement shows "RNG is ready, skipping seeding", then hardware support (/dev/random or /dev/urandom) was used.
Example: > ssh -vvv user@host OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug3: RNG is ready, skipping seeding . Also check RACF because for OpenSSH to use the hardware support (/dev/random or /dev/urandom) to collect random numbers, the ICSF started task must be running and the user ID must have read access to the CSFRNG (random number generate service) in the RACF(R) CSFSERV class. Steve Finch Mainframe Technical Services HP Enterprise Services -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of McKown, John Sent: Tuesday, July 10, 2012 11:18 AM To: [email protected] Subject: PTF: UA63842 - verifying it is working I just installed PTF UA63842 on my sandbox system. I also got ICSF running. The messages from the CSF started task are: CSFO0230 CKDSN(TSSTV.CSF.CKDS) CSFO0230 PKDSN(TSSTV.CSF.PKDS) CSFO0230 COMPAT(NO) CSFO0230 SSM(YES) CSFO0230 KEYAUTH(NO) /* WAS YES */ CSFO0230 CHECKAUTH(NO) CSFO0230 TRACEENTRY(599) CSFO0220 TRACEENTRY VALUE NOT IN RANGE. CSFO0230 USERPARM(USERPARM) CSFO0230 COMPENC(DES) CSFO0212 COMPENC KEYWORD NO LONGER SUPPORTED. CSFO0230 REASONCODES(ICSF) CSFO0230 PKDSCACHE(64) CSFO0212 PKDSCACHE KEYWORD NO LONGER SUPPORTED. CSFO0166 DEFAULT CICS WAIT LIST WILL BE USED. CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED. CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED. CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED. CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED. CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED. CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED. CSFM101E PKA KEY DATA SET, TSSTV.CSF.PKDS IS NOT INITIALIZED. CSFM100E CRYPTOGRAPHIC KEY DATA SET, TSSTV.CSF.CKDS IS NOT INITIALIZED. CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE. CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE. *CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. CSFM001I ICSF INITIALIZATION COMPLETE CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. I think this last message means that ICSF is using the CPACF facilities on the CPU. True? I then recycled the SSHD daemon. How do I know that SSHD is actually using the CPACF instead of the older method for its encryption?. Is there any message anywhere that I could look at? I see some messages in /var/log/auth, but nothing "in depth". -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * [email protected] * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
