Date: Sat, 1 Jun 2013 11:45:40 +1000 From: Peter Jeremy <peter@rulingia.com> To: Dirk-Willem van Gulik <dirkx@webweaving.org> Cc: freebsd-hackers@freebsd.org Subject: Re: seeding randomness in zee cloud Message-ID: <20130601014540.GF79250@server.rulingia.com> In-Reply-To: <0BF6FBDD-47E8-44F1-BA71-A355EDCDEDB6@webweaving.org> References: <0BF6FBDD-47E8-44F1-BA71-A355EDCDEDB6@webweaving.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--QTprm0S8XgL7H0Dt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2013-May-31 12:01:02 +0200, Dirk-Willem van Gulik <dirkx@webweaving.org>= wrote: > Thanks to a badly-written mngt script - >we've rencently noticed a freshly generated ssh-key on a new AWS >instances to be indentical to one seen a few months prior. =2E.. >I am surmising that perhaps the (micro-T) images do not have that >much entropy on startup. This is a fairly common issue - typically, the first thing a newly installed system does immediately after a boot (when it has the least entropy availab= le) is to generate its SSH host keys. >Now we happen to have very easy access to blocks of 1024bits of >randomness from a remote server in already nicely PKI signed packages >(as it is needed later for something else). Obtaining entropy from another machine is an option but you need to ensure that the source is trustworthy, you only use the entropy once and that the entropy can't be intercepted by anyone else. >Or does this cause a loss/reset of all entropy gathered by the hardware so= far ? As others have indicated, no. Writing to /dev/random can't reduce the available entropy. > Or is there a cleaner way to add a additional seed as a one-off with >disturbing as little as possible (in the few seconds just after the >network is brought up). If this needs to be done automatically, not really. If there's a person available, you could use the "please type a screen full of random junk" approach and feed both the inter-character timings (which should be done automatically via IRQ harvesting) and junk into /dev/random. --=20 Peter Jeremy --QTprm0S8XgL7H0Dt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGpUkQACgkQ/opHv/APuIfiQACfW6DsCUhclpUYxT4crFZ8a1Qu kJcAoI7mB2H5lYHh2Re9eELeW8nQBLFj =0341 -----END PGP SIGNATURE----- --QTprm0S8XgL7H0Dt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130601014540.GF79250>