"Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin. For, as has been pointed out several times, there is no such thing as a random number — there are only methods to produce random numbers, and a strict arithmetic procedure of course is not such a method."
~John von Neumann
Randomness is harder to achieve than one might think; in fact, even defining randomness is difficult (or picking the right definition for a given situation). For example, "random" numbers that are perfectly good for statistical modeling might be terrible for cryptography. Each of these applications requires certain properties of its random input, such as an even distribution. Cryptography, in particular, demands unpredictability so an attacker reading our data can't guess our keys. True randomness -- in the sense of complete unpredictability -- can't be produced by a computer program. Any sequence of bits produced as the output of a program eventually repeats itself.
For true randomness, you have to turn to physical processes, such as fluid turbulence or the quantum dice of radioactive decay. Even there, you must take great care that measurement artifacts don't introduce unwanted structure.
- So far, your colleague is right.
SSH implementations make use of randomness (=entropy in this case), but the process is completely invisible to the user.
Here's what happens under the hood
SSH1 and SSH2 use a kernel-based randomness source if it is available, along with their own sampling of (one hopes) fluctuating system parameters, gleaned by running different processes. It uses these sources to seed its PRNG, as well as to "stir in" more randomness every once in a while. Since it is expensive to gather randomness this way, SSH stores its pool of random bits in a file between invocations of the program (/etc/ssh2/random_seed). This file is protected and used during key generation, not after the keys are exchanged, not within a connection.
To make it short: The entropy of such a connection key-pair is system based not connection based (or even command based).
- Knowing this, its clear that concerns regarding SSH "draining entropy" are nonsense.