From owner-freebsd-hackers Fri Oct 11 1:20:17 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF38937B401 for ; Fri, 11 Oct 2002 01:20:12 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A8C443E7B for ; Fri, 11 Oct 2002 01:20:12 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.6/8.12.6) with ESMTP id g9B8KBW1072791; Fri, 11 Oct 2002 09:20:11 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.6/8.12.6/Submit) with UUCP id g9B8KBvd072790; Fri, 11 Oct 2002 09:20:11 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.6/8.12.5) with ESMTP id g9B8Ie01062513; Fri, 11 Oct 2002 09:18:40 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200210110818.g9B8Ie01062513@grimreaper.grondar.org> To: "Firsto Lasto" Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: PRNG not seeded - error in non-root ssh inside 4.6.2 jails... References: In-Reply-To: ; from "Firsto Lasto" "Fri, 11 Oct 2002 01:12:54 PDT." Date: Fri, 11 Oct 2002 09:18:40 +0100 From: Mark Murray Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Ok, I did this, and got the exact same results - first it says that PRNG is > not seeded, and then I chmod 0666 /dev/urandom and then it tells me "host > key verification failed". I hope you mean /dev/random? M > > So, just in case I also did the opposite - I left random alone and set > urandom to 2,3 so it behaves like random ... and this was interesting, when > I did this, it told me PRNG not seeded no matter what I set the permissions > to - so at no point did I progress to "host key verification failed". > > Hope this helps - I hate to think that the single most used userland > application does not function inside of jail (which is the case, it seems, > at least in 4.6.2) > > > > > > > > > Do you mean recompile SSL using urandom instead of random ? > > > >Yes. > > > > > Would it be the exact same effect if I simply changed my /dev/random to > > > major/minor 2,4 instead of 2,3 ? > > > >Yes. That would work. > > > > > It seems like that would be much easier... > > > >Indeed! > > > >M > > > > > > > Ok, I am not sure how I can do that though - I cannot successfully > >run > > > > > `rndcontrol -s X` inside a jail. > > > > > > > > > > On the other hand, I already have: > > > > > > > > > > rand_irqs="9 10 11 13 14" > > > > > > > > > > In my rc.conf on the underlying host machine, and have done several > > > >boots > > > > > with that in place. So presumably I should be seeded just fine, but > >if > > > >I am > > > > > not, I cannot change that in the jail because it seems I cannot set > >that > > > >(I > > > > > assume it is a sysctl issue). > > > > > > > > > > Willing to try whatever you can think of next :) > > > > > > > >Hokay. Can you grovel around inside OpenSSL (src/crypto/openssl/...) > >and > > > >find where the random device is read? If it is /dev/random, then change > > > >that to /dev/urandom. > > > > > > > >See how that works. > > > > > > > >M > > > > > > > > > > > I can't seed it by banging on the keyboard - it is a headless > >server > > > >in > > > > > >a > > > > > > > rack thousands of miles from me :) > > > > > > > > > > > > > > Perhaps there is another way to do it ? > > > > > > > > > > > >Yes. > > > > > > > > > > > >You need to find sources of entropy in interrupts. Look at a > > > > > >dmesg, and note which IRQ's your network device(s) and mass > > > > > >storage controller(s) (both SCSI and ATA). Use any other > > > > > >irq's that aren't too busy and may be somewhat random. > > > > > >Staring at a 'systat 2 -vmstat' screen (right hand side) > > > > > >may give some clues. > > > > > > > > > > > >Then use rndcontrol(8) to set up the seeding. There is a knob > > > > > >in rc.conf to make this setting survive the next reboot. > > > > > > > > > > > >M > > > > > > > > > > > > > >Date: Thu, 03 Oct 2002 21:54:30 +0100 > > > > > > > > > > > > > > > > > Sorry, here is the rest: > > > > > > > > > > > > > > > > > > Here is the output of the `dd` command using urandom: > > > > > > > > > > > > > > > > > > dd if=/dev/urandom of=/dev/stdout bs=512 count=1 | hexdump > >-C > > > > > > > > > 1+0 records in > > > > > > > > > 1+0 records out > > > > > > > > > 00000000 a0 69 1a 7c 8f 32 e5 21 ae 7a 33 14 68 0b 8e a6 > > > > > > > > > |.i.|.2.!.z3.h...| > > > > > > > > > > > > > > > >... etc. Looking good. > > > > > > > > > > > > > > > > > $ ls -l /dev/*rand* > > > > > > > > > crw-r--r-- 1 root wheel 2, 3 Sep 3 21:46 /dev/random > > > > > > > > > crw-r--r-- 1 root wheel 2, 4 Sep 3 21:46 > >/dev/urandom > > > > > > > > > > > > > > > >Also good. > > > > > > > > > > > > > > > > > > > So then, as root I ran: `chmod 0666 /dev/stdout` and > >then I > > > >ran > > > > > >your > > > > > > > > > >`dd` > > > > > > > > > > > command and got: > > > > > > > > > > > > > > > > > > > > > > $ dd if=/dev/random of=/dev/stdout bs=512 count=1 | > >hexdump > > > >-C > > > > > > > > > > > 0+0 records in > > > > > > > > > > > 0+0 records out > > > > > > > > > > > 0 bytes transferred in 0.000036 secs (0 bytes/sec) > > > > > > > > > > > > > > > >Can you try a few of these while furiously abusing your > >keyboard? > > > > > > > >I'm trying to see if /dev/random can be persuaded to give _any_ > > > > > > > >aoutput at all. > > > > > > > > > > > > > > > >Maybe do it on a vty instead of in X. > > > > > > > > > > > > > > > >M > > > > > > > >-- > > > > > > > >o Mark Murray > > > > > > > >\_ > > > > > > > >O.\_ Warning: this .sig is umop ap!sdn > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >_________________________________________________________________ > > > > > > > Chat with friends online, try MSN Messenger: > > > >http://messenger.msn.com > > > > > > > > > > > > >-- > > > > > >o Mark Murray > > > > > >\_ > > > > > >O.\_ Warning: this .sig is umop ap!sdn > > > > > > > > > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > > Send and receive Hotmail on your mobile device: > >http://mobile.msn.com > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-hackers" in the body of the message > > > >-- > > > >o Mark Murray > > > >\_ > > > >O.\_ Warning: this .sig is umop ap!sdn > > > > > > > > > > > > > > > _________________________________________________________________ > > > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > > >-- > >o Mark Murray > >\_ > >O.\_ Warning: this .sig is umop ap!sdn > > > > _________________________________________________________________ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message