Date: Mon, 07 Aug 2006 18:02:08 -0400 From: Michael Scheidell <scheidell@secnap.net> To: freebsd-security@freebsd.org Subject: seeding dev/random in 5.5 Message-ID: <44D7B860.5080906@secnap.net>
next in thread | raw e-mail | index | archive | help
I was doing some regression testing in 5.5: Specifically testing booting up a 'virgin' hard disk from a clean install. I was testing what happened if the 300 second timeout happened vs hitting <return> for 'fast+insecure' startup and punching in a bunch of random garbage. I found that for some reason, on a 2.4Ghz Celeron, the 'sysctl -a' and 'date' seeding for 'fast+insecure' seemed to do nothing unless I typed in at least 3 lines of random keystrokes. ie: /etc/rc.d/sshd start WONT, it doesn't generate ssh keys in /etc/ssh and ssh won't start. Is there something in /dev/random that won't init if it isn't random enough? (if doing this from an unattended bootup, expecting the 300 second timeout, I find that sshd does not start!) After doing some testing, it appears that (at least with the combination of a 2.4Ghz Celeron and 5.5) that it takes at least three lines of random data, added to the output of sysctl -a and date to seed /dev/random. (as per this in /etc/rc.d/sshd: read -t ${timeout} junk echo "${junk}" `sysctl -a` `date` > /dev/random I can find no other explanation to the results of my tests: This removes keys: /etc/rc.d/sshd stop rm /etc/ssh/*key* /etc/rc.d/sshd start tests: #1, allow 300 second timeout: remove keys, restart sshd: /etc/rc.d/sshd start let it sit for 300 seconds. No error messages, but sshd doesn't start, and there are no keys in /etc/ssh #2, one line of random test (same results as above) #3, two lines, etc #4, three lines. Now, I get the messages telling me that ssh_keygen has created keys, and there are keys in /etc/ssh I also find that by adding this to the random seeding that it will work with <return> or 300 second timeout: read -t ${timeout} junk echo "${junk}" `sysctl -a` `date` `tcpdump -xs1500 -c 5` > /dev/random Yes, I know, but even ;lj;lkj;lj;ljjl on the keyboard isn't all that random, but my issue is not being able to remotely access a virgin system with ssh. Sometimes these are headless pizza boxes, buried deep in the bowels of some data center. Has anyone else run tests like this? (I suppose the -c value in tcpdump could be random as well '-=) using: count = `date "+%S"` In a remote location, with no head, no monitor, its hard trying to figure out just WHY 'system won't boot'. (it booted, but sshd didn't start!) There is enough random[pun intended] things that can happen when you install a new system, that I would like to try to eliminate one of them. -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44D7B860.5080906>