From owner-cvs-all  Fri Jan 12  2:17:20 2001
Delivered-To: cvs-all@freebsd.org
Received: from blizzard.sabbo.net (ns.sabbo.net [193.193.218.18])
	by hub.freebsd.org (Postfix) with ESMTP
	id D6F8A37B400; Fri, 12 Jan 2001 02:16:51 -0800 (PST)
Received: from vic.sabbo.net (root@vic.sabbo.net [193.193.218.112])
	by blizzard.sabbo.net (8.10.1/8.10.1) with ESMTP id f0CAFP107883;
	Fri, 12 Jan 2001 12:15:26 +0200
Received: from FreeBSD.org (big_brother.vega.com [192.168.1.1])
	by vic.sabbo.net (8.11.1/8.9.3) with ESMTP id f0CAEk405365;
	Fri, 12 Jan 2001 12:14:46 +0200 (EET)
	(envelope-from sobomax@FreeBSD.org)
Message-ID: <3A5ED913.6B09A21F@FreeBSD.org>
Date: Fri, 12 Jan 2001 12:14:43 +0200
From: Maxim Sobolev <sobomax@FreeBSD.org>
Organization: Vega International Capital
X-Mailer: Mozilla 4.76 [en] (WinNT; U)
X-Accept-Language: uk,ru,en
MIME-Version: 1.0
To: Matt Dillon <dillon@earth.backplane.com>
Cc: Warner Losh <imp@harmony.village.org>,
	Mark Murray <mark@grondar.za>,
	Jordan Hubbard <jkh@winston.osd.bsdi.com>,
	Sheldon Hearn <sheldonh@uunet.co.za>, obrien@FreeBSD.org,
	Doug Barton <dougb@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/etc crontab rc src/etc/defaults rc.conf 
 src/etc/mtree BSD.root.dist src/libexec Makefile 
 src/libexec/save-entropy Makefile save-entropy.sh
References: <200101120644.f0C6hvI12630@gratis.grondar.za>  <200101120534.f0C5YYH96390@earth.backplane.com>  <200101120652.f0C6qls78578@harmony.village.org> <200101120711.f0C7B4Y97991@earth.backplane.com>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Matt Dillon wrote:

> :
> :In message <200101120644.f0C6hvI12630@gratis.grondar.za> Mark Murray writes:
> :: >     I would do the following:
> :: >
> :: >    * Use Warner's fix, possibly adding 'dmesg' output in phase-1.
> ::
> :: It make more sense to make the random device nonblocking-at-boot than
> :: to do this.
> :
> :Maybe we could make it non-blocking until the first write to
> :/dev/random?  This would solve the problems that we're seeing, as well
> :as allowing sshd to have enough entropy to get good results.

I like this idea, but perhaps it would be nice to have more fine-grained control
over when /dev/random is blocking and when not. Why not to add sysctl to switch
between blocking/non-blocking behaviour (defaulting to non-blocking), so our
startup scripts would be able to switch /dev/random to be secure at the point
when it's safe to do (all f/s mounted) much like it copes with kern.securelevel.
Additionaly it would solve the problem that you are not able to use almost
anything in single-user mode (less, vi, ee etc) w/o feeding /dev/random by hand
first.

-Maxim




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message