From owner-freebsd-hackers@FreeBSD.ORG Sat Jun 1 01:46:00 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6DDF449B for ; Sat, 1 Jun 2013 01:46:00 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (host-122-100-2-194.octopus.com.au [122.100.2.194]) by mx1.freebsd.org (Postfix) with ESMTP id E945377D for ; Sat, 1 Jun 2013 01:45:58 +0000 (UTC) Received: from server.rulingia.com (c220-239-237-213.belrs5.nsw.optusnet.com.au [220.239.237.213]) by vps.rulingia.com (8.14.5/8.14.5) with ESMTP id r511jsxg067065 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 1 Jun 2013 11:45:55 +1000 (EST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.5/8.14.5) with ESMTP id r511jgUc043540 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 1 Jun 2013 11:45:42 +1000 (EST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.5/8.14.5/Submit) id r511jfJK043539; Sat, 1 Jun 2013 11:45:41 +1000 (EST) (envelope-from peter) Date: Sat, 1 Jun 2013 11:45:40 +1000 From: Peter Jeremy To: Dirk-Willem van Gulik Subject: Re: seeding randomness in zee cloud Message-ID: <20130601014540.GF79250@server.rulingia.com> References: <0BF6FBDD-47E8-44F1-BA71-A355EDCDEDB6@webweaving.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QTprm0S8XgL7H0Dt" Content-Disposition: inline In-Reply-To: <0BF6FBDD-47E8-44F1-BA71-A355EDCDEDB6@webweaving.org> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jun 2013 01:46:00 -0000 --QTprm0S8XgL7H0Dt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2013-May-31 12:01:02 +0200, Dirk-Willem van Gulik = wrote: > Thanks to a badly-written mngt script - >we've rencently noticed a freshly generated ssh-key on a new AWS >instances to be indentical to one seen a few months prior. =2E.. >I am surmising that perhaps the (micro-T) images do not have that >much entropy on startup. This is a fairly common issue - typically, the first thing a newly installed system does immediately after a boot (when it has the least entropy availab= le) is to generate its SSH host keys. >Now we happen to have very easy access to blocks of 1024bits of >randomness from a remote server in already nicely PKI signed packages >(as it is needed later for something else). Obtaining entropy from another machine is an option but you need to ensure that the source is trustworthy, you only use the entropy once and that the entropy can't be intercepted by anyone else. >Or does this cause a loss/reset of all entropy gathered by the hardware so= far ? As others have indicated, no. Writing to /dev/random can't reduce the available entropy. > Or is there a cleaner way to add a additional seed as a one-off with >disturbing as little as possible (in the few seconds just after the >network is brought up). If this needs to be done automatically, not really. If there's a person available, you could use the "please type a screen full of random junk" approach and feed both the inter-character timings (which should be done automatically via IRQ harvesting) and junk into /dev/random. --=20 Peter Jeremy --QTprm0S8XgL7H0Dt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGpUkQACgkQ/opHv/APuIfiQACfW6DsCUhclpUYxT4crFZ8a1Qu kJcAoI7mB2H5lYHh2Re9eELeW8nQBLFj =0341 -----END PGP SIGNATURE----- --QTprm0S8XgL7H0Dt--