Date: Fri, 21 Nov 2014 18:45:19 +0000 From: Mark R V Murray <mark@grondar.org> To: Ian Lepore <ian@FreeBSD.org> Cc: arch@freebsd.org, John-Mark Gurney <jmg@funkthat.com>, Adrian Chadd <adrian@freebsd.org> Subject: Re: svn commit: r274739 - head/sys/mips/conf Message-ID: <026FEB8A-CA8C-472F-A8E4-DA3D0AC44B34@grondar.org> In-Reply-To: <1416582989.1147.250.camel@revolution.hippie.lan> References: <201411200552.sAK5qnXP063073@svn.freebsd.org> <20141120084832.GE24601@funkthat.com> <AE8F2D30-7F91-4C90-B79A-D99857D8AED8@grondar.org> <20141121092245.GI99957@funkthat.com> <1416582989.1147.250.camel@revolution.hippie.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 21 Nov 2014, at 15:16, Ian Lepore <ian@FreeBSD.org> wrote: >=20 >> If you can demonstrate a usable system w/o much modifications that >> runs w/ the dummy interface, or no boot random, that I'll drop my >> suggestion... I'll try removing random tomorrow and see what = breaks... >>=20 >=20 > If your point is that after the recent commits you can no longer do > these things, then I guess that's kind of hard to argue with given = that > some of us have been trying to say for a couple years that if=20 > /dev/random starts blocking to wait for entropy at startup, existing > *functional* small systems will stop working. As a fair bit of the security subsystem depends on working /dev/random, this is true. HOWEVER - I=E2=80=99m most willing to entertain ideas on how to get a = general config going that disables anything that is /dev/random-dependant. Asking the SO to break sshd(8) isn=E2=80=99t going to work, but enabling (say) telnet and/or rsh in the !random(4) case could be a way to do it. > Before those changes everything worked fine on the 90mhz 64MB arm > systems we build products around, which have no more than a few bits = of > entropy available during the boot process, and which (I'll say it = again > even though nobody has ever paid any attention to it) don't actually > need any entropy to come up and do what it is they are designed to do. >=20 > They don't use https (a few of them don't even have network > connections). They use ssh for its convenience (it's better than > telnet), but NOT for security. (And really, whether that makes sense = to > you or not, "the system must be secure" is not your decision to make.) Why not just use rsh? If the security overhead is onerous, don=E2=80=99t = use it. > I haven't tested a recent -current on those small systems, but we've > already resigned ourselves to sticking with 8.x for those older boards > just because the tide of bloat (both code and policy) is too much to > swim against. Yet you use ssh? M --=20 Mark R V Murray
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?026FEB8A-CA8C-472F-A8E4-DA3D0AC44B34>