[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#23605: /dev/urandom not seeded across reboots

From: Thompson, David
Subject: bug#23605: /dev/urandom not seeded across reboots
Date: Tue, 24 May 2016 13:29:44 -0400

On Tue, May 24, 2016 at 1:23 PM, Leo Famulari <address@hidden> wrote:
> On Tue, May 24, 2016 at 12:26:29PM -0400, Thompson, David wrote:
>> On Tue, May 24, 2016 at 12:16 PM, Leo Famulari <address@hidden> wrote:
>> > On Tue, May 24, 2016 at 09:05:21AM +0200, Taylan Ulrich Bayırlı/Kammer 
>> > wrote:
>> >> Leo Famulari <address@hidden> writes:
>> >> > Does anyone have advice about the service? Am I wrong that we need to
>> >> > seed /dev/urandom to make it work properly?
>> >>
>> >> Yes, this is necessary under Linux if you want urandom to be random
>> >> enough immediately after boot, and all the distros do it as part of
>> >> their init.
>> >>
>> >> There's also an interesting implication here about the very first time
>> >> you boot the system and don't have a urandom seed file from the last
>> >> shutdown yet.  I don't know how this is typically handled, given that
>> >> for instance it's quite possible that a user might generate SSH keys
>> >> shortly after their first boot of a system.
>> >
>> > When I boot a GuixSD VM for the first time [0], it requires me to dance
>> > on the keyboard until it has collected ~200 bits of entropy. I assumed
>> > this is to properly bootstrap the CSPRNG in /dev/urandom, but I'm not
>> > sure.
>> This is just an annoying feature of GNU lsh.  I want to switch my
>> machines to OpenSSH sometime, partly due to this.
> Well, it seems that this feature might be protecting us against using
> weak SSH session keys on first boot, if it's doing what I think it's
> doing...

It impedes automated provisioning of servers, which OpenSSH does not do.

- Dave

reply via email to

[Prev in Thread] Current Thread [Next in Thread]