From owner-freebsd-security@FreeBSD.ORG Mon Aug 7 22:02:10 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DC2816A4DD for ; Mon, 7 Aug 2006 22:02:10 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from mail.secnap.com (mail.secnap.com [204.89.241.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0F0343D6A for ; Mon, 7 Aug 2006 22:02:09 +0000 (GMT) (envelope-from scheidell@secnap.net) Received: from [10.70.3.3] (unknown [10.70.3.3]) by mail.secnap.com (Postfix) with ESMTP id 56082164838; Mon, 7 Aug 2006 18:02:08 -0400 (EDT) Message-ID: <44D7B860.5080906@secnap.net> Date: Mon, 07 Aug 2006 18:02:08 -0400 From: Michael Scheidell Organization: SECNAP Network Security User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: seeding dev/random in 5.5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Aug 2006 22:02:10 -0000 I was doing some regression testing in 5.5: Specifically testing booting up a 'virgin' hard disk from a clean install. I was testing what happened if the 300 second timeout happened vs hitting for 'fast+insecure' startup and punching in a bunch of random garbage. I found that for some reason, on a 2.4Ghz Celeron, the 'sysctl -a' and 'date' seeding for 'fast+insecure' seemed to do nothing unless I typed in at least 3 lines of random keystrokes. ie: /etc/rc.d/sshd start WONT, it doesn't generate ssh keys in /etc/ssh and ssh won't start. Is there something in /dev/random that won't init if it isn't random enough? (if doing this from an unattended bootup, expecting the 300 second timeout, I find that sshd does not start!) After doing some testing, it appears that (at least with the combination of a 2.4Ghz Celeron and 5.5) that it takes at least three lines of random data, added to the output of sysctl -a and date to seed /dev/random. (as per this in /etc/rc.d/sshd: read -t ${timeout} junk echo "${junk}" `sysctl -a` `date` > /dev/random I can find no other explanation to the results of my tests: This removes keys: /etc/rc.d/sshd stop rm /etc/ssh/*key* /etc/rc.d/sshd start tests: #1, allow 300 second timeout: remove keys, restart sshd: /etc/rc.d/sshd start let it sit for 300 seconds. No error messages, but sshd doesn't start, and there are no keys in /etc/ssh #2, one line of random test (same results as above) #3, two lines, etc #4, three lines. Now, I get the messages telling me that ssh_keygen has created keys, and there are keys in /etc/ssh I also find that by adding this to the random seeding that it will work with or 300 second timeout: read -t ${timeout} junk echo "${junk}" `sysctl -a` `date` `tcpdump -xs1500 -c 5` > /dev/random Yes, I know, but even ;lj;lkj;lj;ljjl on the keyboard isn't all that random, but my issue is not being able to remotely access a virgin system with ssh. Sometimes these are headless pizza boxes, buried deep in the bowels of some data center. Has anyone else run tests like this? (I suppose the -c value in tcpdump could be random as well '-=) using: count = `date "+%S"` In a remote location, with no head, no monitor, its hard trying to figure out just WHY 'system won't boot'. (it booted, but sshd didn't start!) There is enough random[pun intended] things that can happen when you install a new system, that I would like to try to eliminate one of them. -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131