Date: Tue, 08 Aug 2006 10:19:53 -0400 From: Michael Scheidell <scheidell@secnap.net> To: "R. B. Riddick" <arne_woerner@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: seeding dev/random in 5.5 Message-ID: <44D89D89.2080502@secnap.net> In-Reply-To: <20060808141501.56763.qmail@web30313.mail.mud.yahoo.com> References: <20060808141501.56763.qmail@web30313.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
R. B. Riddick wrote: > --- Michael Scheidell <scheidell@secnap.net> wrote: > >> R. B. Riddick wrote: >> >>> Why do u believe, that /dev/random isnt seeded by networking? >>> >>> >>> >> because it isn't. >> and pings arn' going to produce much random data. >> >> > Hmm... Interesting... > > >> it might feed it LATER, saving to /var/db/entropy, but when the system >> is booted, and there are no keys in /etc/ssh and rc.d/sshd tried to >> generate enough to feed to /dev/random, it doesn't >> >> > Hopefully... I was under the impression, that new "random" events are gathered > continuously in order to create an always good source of random ... > > yes, maybe, AFTER it boots, and during the day. >> I can reproduce it 100% of the time, every time, all day long. >> >> > OK... But I still dont understand why that is... Does it have an ethernet NIC? > Is that sysctl (kern.random.sys.harvest.ethernet) set to 1 before rc.d/sshd > starts? > > yes, has nic card (how else would I be able to ssh into it later ;-) no, rc.d/sshd doesn't touch that sysctl. >> Only two workarounds that I know of: >> #1, put in more than 3 lines of garbage on console. >> #2, put in more than 5 packets of garbage from ethernet >> (which, acknowledged: if hacker is trying to seed known data to this >> box, he could feed it known data) >> >> > If I may add: > I know another workaround: Create the key files during the install process, > which has to be done quite handish anyway, if u do it on a far away deeply > buried box... Or not? > > This would affect the generic stock 5.5 install disk as well (it doesn't create new keys when it builds a virgin hard disk) If a user just hits return, there is no error message, no indication that /dev/random wasn't seeded. We have a bootable CD rom, has a generic boot/network/vpn/ and dumpfiles for virgin install. cd rom uses restore to make new HD. Id rather like to have different keys on different boxes. ssh client complains when it sees the same keys for several different ip addresses. > -Arne > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44D89D89.2080502>