Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Oct 2002 12:56:57 -0700
From:      "Firsto Lasto" <firstolasto@hotmail.com>
To:        mark@grondar.za
Cc:        freebsd-hackers@FreeBSD.ORG
Subject:   Re: PRNG not seeded - error in non-root ssh inside 4.6.2 jails...
Message-ID:  <F174ADhC9ChIVFdGaTN00009ee0@hotmail.com>

next in thread | raw e-mail | index | archive | help

No, /dev/urandom was already 666, and I just noticed that random was not, so 
I chmodded random 0666 and then the error changed from PRNG not seeded to 
"host key verification failed".

I think there is some useful information in this last round of 
troubleshooting I did - the fact that the behavior was the same when I made 
random 2,4, but the behavior was different when I made urandom 2,3.

Or perhaps it is not useful at all ?


>
> > Ok, I did this, and got the exact same results - first it says that PRNG 
>is
> > not seeded, and then I chmod 0666 /dev/urandom and then it tells me 
>"host
> > key verification failed".
>
>I hope you mean /dev/random?
>
>M
>
> >
> > So, just in case I also did the opposite - I left random alone and set
> > urandom to 2,3 so it behaves like random ... and this was interesting, 
>when
> > I did this, it told me PRNG not seeded no matter what I set the 
>permissions
> > to - so at no point did I progress to "host key verification failed".
> >
> > Hope this helps - I hate to think that the single most used userland
> > application does not function inside of jail (which is the case, it 
>seems,
> > at least in 4.6.2)
> >
> > >
> > > >
> > > > Do you mean recompile SSL using urandom instead of random ?
> > >
> > >Yes.
> > >
> > > > Would it be the exact same effect if I simply changed my /dev/random 
>to
> > > > major/minor 2,4 instead of 2,3 ?
> > >
> > >Yes. That would work.
> > >
> > > > It seems like that would be much easier...
> > >
> > >Indeed!
> > >
> > >M
> > >
> > > > > > Ok, I am not sure how I can do that though - I cannot 
>successfully
> > >run
> > > > > > `rndcontrol -s X` inside a jail.
> > > > > >
> > > > > > On the other hand, I already have:
> > > > > >
> > > > > > rand_irqs="9 10 11 13 14"
> > > > > >
> > > > > > In my rc.conf on the underlying host machine, and have done 
>several
> > > > >boots
> > > > > > with that in place.  So presumably I should be seeded just fine, 
>but
> > >if
> > > > >I am
> > > > > > not, I cannot change that in the jail because it seems I cannot 
>set
> > >that
> > > > >(I
> > > > > > assume it is a sysctl issue).
> > > > > >
> > > > > > Willing to try whatever you can think of next :)
> > > > >
> > > > >Hokay. Can you grovel around inside OpenSSL 
>(src/crypto/openssl/...)
> > >and
> > > > >find where the random device is read? If it is /dev/random, then 
>change
> > > > >that to /dev/urandom.
> > > > >
> > > > >See how that works.
> > > > >
> > > > >M
> > > > >
> > > > > > > > I can't seed it by banging on the keyboard - it is a 
>headless
> > >server
> > > > >in
> > > > > > >a
> > > > > > > > rack thousands of miles from me :)
> > > > > > > >
> > > > > > > > Perhaps there is another way to do it ?
> > > > > > >
> > > > > > >Yes.
> > > > > > >
> > > > > > >You need to find sources of entropy in interrupts. Look at a
> > > > > > >dmesg, and note which IRQ's your network device(s) and mass
> > > > > > >storage controller(s) (both SCSI and ATA). Use any other
> > > > > > >irq's that aren't too busy and may be somewhat random.
> > > > > > >Staring at a 'systat 2 -vmstat' screen (right hand side)
> > > > > > >may give some clues.
> > > > > > >
> > > > > > >Then use rndcontrol(8) to set up the seeding. There is a knob
> > > > > > >in rc.conf to make this setting survive the next reboot.
> > > > > > >
> > > > > > >M
> > > > > > >
> > > > > > > > >Date: Thu, 03 Oct 2002 21:54:30 +0100
> > > > > > > > >
> > > > > > > > > > Sorry, here is the rest:
> > > > > > > > > >
> > > > > > > > > > Here is the output of the `dd` command using urandom:
> > > > > > > > > >
> > > > > > > > > > dd if=/dev/urandom of=/dev/stdout bs=512 count=1 | 
>hexdump
> > >-C
> > > > > > > > > > 1+0 records in
> > > > > > > > > > 1+0 records out
> > > > > > > > > > 00000000  a0 69 1a 7c 8f 32 e5 21  ae 7a 33 14 68 0b 8e 
>a6
> > > > > > > > > > |.i.|.2.!.z3.h...|
> > > > > > > > >
> > > > > > > > >... etc. Looking good.
> > > > > > > > >
> > > > > > > > > > $ ls -l /dev/*rand*
> > > > > > > > > > crw-r--r--  1 root  wheel    2,   3 Sep  3 21:46 
>/dev/random
> > > > > > > > > > crw-r--r--  1 root  wheel    2,   4 Sep  3 21:46
> > >/dev/urandom
> > > > > > > > >
> > > > > > > > >Also good.
> > > > > > > > >
> > > > > > > > > > > > So then, as root I ran: `chmod 0666 /dev/stdout` and
> > >then I
> > > > >ran
> > > > > > >your
> > > > > > > > > > >`dd`
> > > > > > > > > > > > command and got:
> > > > > > > > > > > >
> > > > > > > > > > > > $ dd if=/dev/random of=/dev/stdout bs=512 count=1 |
> > >hexdump
> > > > >-C
> > > > > > > > > > > > 0+0 records in
> > > > > > > > > > > > 0+0 records out
> > > > > > > > > > > > 0 bytes transferred in 0.000036 secs (0 bytes/sec)
> > > > > > > > >
> > > > > > > > >Can you try a few of these while furiously abusing your
> > >keyboard?
> > > > > > > > >I'm trying to see if /dev/random can be persuaded to give 
>_any_
> > > > > > > > >aoutput at all.
> > > > > > > > >
> > > > > > > > >Maybe do it on a vty instead of in X.
> > > > > > > > >
> > > > > > > > >M
> > > > > > > > >--
> > > > > > > > >o       Mark Murray
> > > > > > > > >\_
> > > > > > > > >O.\_    Warning: this .sig is umop ap!sdn
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > >_________________________________________________________________
> > > > > > > > Chat with friends online, try MSN Messenger:
> > > > >http://messenger.msn.com
> > > > > > > >
> > > > > > >--
> > > > > > >o       Mark Murray
> > > > > > >\_
> > > > > > >O.\_    Warning: this .sig is umop ap!sdn
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > 
>_________________________________________________________________
> > > > > > Send and receive Hotmail on your mobile device:
> > >http://mobile.msn.com
> > > > > >
> > > > > >
> > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > > > with "unsubscribe freebsd-hackers" in the body of the message
> > > > >--
> > > > >o       Mark Murray
> > > > >\_
> > > > >O.\_    Warning: this .sig is umop ap!sdn
> > > >
> > > >
> > > >
> > > >
> > > > _________________________________________________________________
> > > > Send and receive Hotmail on your mobile device: 
>http://mobile.msn.com
> > > >
> > >--
> > >o       Mark Murray
> > >\_
> > >O.\_    Warning: this .sig is umop ap!sdn
> >
> >
>
> >
> > _________________________________________________________________
> > MSN Photos is the easiest way to share and print your photos:
> > http://photos.msn.com/support/worldwide.aspx
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-hackers" in the body of the message
>--
>o       Mark Murray
>\_
>O.\_    Warning: this .sig is umop ap!sdn




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F174ADhC9ChIVFdGaTN00009ee0>