From owner-freebsd-security@FreeBSD.ORG Tue Aug 8 15:06:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3AAA16A4DE for ; Tue, 8 Aug 2006 15:06:14 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30315.mail.mud.yahoo.com (web30315.mail.mud.yahoo.com [68.142.201.233]) by mx1.FreeBSD.org (Postfix) with SMTP id 36BFE43D45 for ; Tue, 8 Aug 2006 15:06:14 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 37010 invoked by uid 60001); 8 Aug 2006 15:06:12 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=5+6vLCSKFrMrtmkoofI+vNDUsVjE136ikfmSw+fw7nONfZXaEF3NM+ABo8mTdgRphKXz9uXmgZxKT+JPgwaazwRxc89W5ydVQIjI3gpUD8nm6+x93eWa3RpFA+KwvP2mEmUGN461L/SluFWzKy4d/KyhW4ij4vrh0mPgZg9l7Ag= ; Message-ID: <20060808150612.37008.qmail@web30315.mail.mud.yahoo.com> Received: from [213.54.69.172] by web30315.mail.mud.yahoo.com via HTTP; Tue, 08 Aug 2006 08:06:12 PDT Date: Tue, 8 Aug 2006 08:06:12 -0700 (PDT) From: "R. B. Riddick" To: Michael Scheidell In-Reply-To: <44D89D89.2080502@secnap.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: seeding dev/random in 5.5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Aug 2006 15:06:14 -0000 --- Michael Scheidell wrote: > This would affect the generic stock 5.5 install disk as well (it doesn't > create new keys when it builds a virgin hard disk) > If a user just hits return, there is no error message, no indication > that /dev/random wasn't seeded. > > We have a bootable CD rom, has a generic boot/network/vpn/ and dumpfiles > for virgin install. > cd rom uses restore to make new HD. > Id rather like to have different keys on different boxes. ssh client > complains when it sees the same keys for several different ip addresses. > Oh. I see... So u just copy a CD to ur HD without any further install scripts... I do it different on my remote boxes: 1. I log in to the systems via sshd of the old system 2. Then I turn of one half of the mirror of the root file system 3. Then I un-tar the new base system to that currently unused disk. 4. Then I use bsdlabel and fdisk to make the box boot from the new disk... 5. Then I would create the ssh-host-keys... 6. Then I setup certain files/services like pf, ipfw, user-accounts, passwords, interfaces, ... 7. Then I would reboot to the freshly installed system (which does not work on some boxes sometimes, because the BIOS is quite old and does not understand the boot0cfg settings (-s5 and such)... *sigh*)... ... Your procedure seems to need operator interaction at the box itself anyway... So I do not see ur problem... Is it that just pressing [ENTER] (in spite of the warning) is not enough in ur case (in contradiction to the instructions)? That would be merely a documentation problem but not a security problem... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com