Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 05 Sep 2012 01:37:15 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        Doug Barton <dougb@FreeBSD.org>
Cc:        freebsd-security@FreeBSD.org, freebsd-rc@FreeBSD.org, Mark Murray <markm@FreeBSD.org>
Subject:   Re: svn commit: r239569 - head/etc/rc.d
Message-ID:  <86y5kpcqc4.fsf@ds4.des.no>
In-Reply-To: <5043DBAF.40506@FreeBSD.org> (Doug Barton's message of "Sun, 02 Sep 2012 15:20:31 -0700")
References:  <201208221843.q7MIhLU4077951@svn.freebsd.org> <5043DBAF.40506@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
(shameless thread hijacking)

Speaking of rc.d and entropy, is the following code in /etc/rc.d/sshd
really necessary?

	seeded=3D`sysctl -n kern.random.sys.seeded 2>/dev/null`
	if [ "x${seeded}" !=3D "x" ] && [ ${seeded} -eq 0 ] ; then
		warn "Setting entropy source to blocking mode."
		echo "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D"
		echo "Type a full screenful of random junk to unblock"
		echo "it and remember to finish with <enter>. This will"
		echo "timeout in ${timeout} seconds, but waiting for"
		echo "the timeout without typing junk may make the"
		echo "entropy source deliver predictable output."
		echo ""
		echo "Just hit <enter> for fast+insecure startup."
		echo "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D"
		sysctl kern.random.sys.seeded=3D0 2>/dev/null
		read -t ${timeout} junk
		echo "${junk}" `sysctl -a` `date` > /dev/random
	fi

Considering, among other factors, how late in the boot sshd actually
starts, and how much disk and / or network activity has occurred by that
point.

I don't believe this was how it was initially supposed to work, by the
way.  The original code *intentionally* always blocked, but it was
slightly obfuscated.  Two years after it was written, someone who
misunderstood it submitted a PR, and several other someones who didn't
understand it either came up with an incorrect fix and committed it.
Neither Mark, who wrote the original code, nor I, who was (and still am)
the OpenSSH maintainer, were consulted.

BTW, it might be a good idea to run "/etc/rc.d/sshd keygen" from the
installer if sshd is enabled during installation.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86y5kpcqc4.fsf>