From owner-freebsd-current@FreeBSD.ORG Mon Mar 28 22:08:28 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E064116A4CE for ; Mon, 28 Mar 2005 22:08:28 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87C3543D39 for ; Mon, 28 Mar 2005 22:08:28 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id j2SM8RpB026638; Mon, 28 Mar 2005 14:08:27 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id j2SM8R8M026637; Mon, 28 Mar 2005 14:08:27 -0800 Date: Mon, 28 Mar 2005 14:08:27 -0800 From: Brooks Davis To: Ed Maste Message-ID: <20050328220827.GA26134@odin.ac.hmc.edu> References: <20050328220022.GB17716@sandvine.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline In-Reply-To: <20050328220022.GB17716@sandvine.com> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-current@freebsd.org Subject: Re: Random source seeding and /etc/rc.d/sshd host key generation X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 22:08:29 -0000 --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 28, 2005 at 05:00:22PM -0500, Ed Maste wrote: > In /etc/rc.d/sshd, user_reseed() does >=20 > seeded=3D`sysctl -n kern.random.sys.seeded 2>/dev/null` > if [ "${seeded}" !=3D "" ] ; then > warn "Setting entropy source to blocking mode." > echo "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D" > echo "Type a full screenful of random junk to unblock" > ... >=20 > I'm curious if checking the seeded sysctl against "" is intentional; > it seems $seeded will always be non-null. Since user_reseed only > gets called if the host keys don't exist it probably won't be much > of an issue in practice, but it seems random junk will be requested > on the first boot even if the entropy source is already seeded. I believe the goal of the script is to not trust the system entropy this time (since it's almost certainly junk.) I think the check is just to avoid this code if the sysctl doesn't exist. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCSIBbXY6L6fI4GtQRApweAJ46xIbjh1qZgVoj/3nRxdOq796L7ACeLRxl iAQiaMTyhl+oa4+w9Uxwzso= =zsD0 -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+--