Date: Wed, 05 Sep 2012 01:37:15 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-security@FreeBSD.org, freebsd-rc@FreeBSD.org, Mark Murray <markm@FreeBSD.org> Subject: Re: svn commit: r239569 - head/etc/rc.d Message-ID: <86y5kpcqc4.fsf@ds4.des.no> In-Reply-To: <5043DBAF.40506@FreeBSD.org> (Doug Barton's message of "Sun, 02 Sep 2012 15:20:31 -0700") References: <201208221843.q7MIhLU4077951@svn.freebsd.org> <5043DBAF.40506@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
(shameless thread hijacking) Speaking of rc.d and entropy, is the following code in /etc/rc.d/sshd really necessary? seeded=3D`sysctl -n kern.random.sys.seeded 2>/dev/null` if [ "x${seeded}" !=3D "x" ] && [ ${seeded} -eq 0 ] ; then warn "Setting entropy source to blocking mode." echo "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D" echo "Type a full screenful of random junk to unblock" echo "it and remember to finish with <enter>. This will" echo "timeout in ${timeout} seconds, but waiting for" echo "the timeout without typing junk may make the" echo "entropy source deliver predictable output." echo "" echo "Just hit <enter> for fast+insecure startup." echo "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D" sysctl kern.random.sys.seeded=3D0 2>/dev/null read -t ${timeout} junk echo "${junk}" `sysctl -a` `date` > /dev/random fi Considering, among other factors, how late in the boot sshd actually starts, and how much disk and / or network activity has occurred by that point. I don't believe this was how it was initially supposed to work, by the way. The original code *intentionally* always blocked, but it was slightly obfuscated. Two years after it was written, someone who misunderstood it submitted a PR, and several other someones who didn't understand it either came up with an incorrect fix and committed it. Neither Mark, who wrote the original code, nor I, who was (and still am) the OpenSSH maintainer, were consulted. BTW, it might be a good idea to run "/etc/rc.d/sshd keygen" from the installer if sshd is enabled during installation. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86y5kpcqc4.fsf>