Date: Tue, 08 Aug 2006 10:02:00 -0400 From: Michael Scheidell <scheidell@secnap.net> To: "R. B. Riddick" <arne_woerner@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: seeding dev/random in 5.5 Message-ID: <44D89958.2030305@secnap.net> In-Reply-To: <20060808135330.24187.qmail@web30310.mail.mud.yahoo.com> References: <20060808135330.24187.qmail@web30310.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
R. B. Riddick wrote: >> > I was under the impression, that > kern.random.sys.harvest.ethernet > is > 1 > by default. > > That would mean, that ethernet traffic to that deeply buried box should feed > that /dev/random until it is fat and round... > > Why do u believe, that /dev/random isnt seeded by networking? > > because it isn't. and pings arn' going to produce much random data. it might feed it LATER, saving to /var/db/entropy, but when the system is booted, and there are no keys in /etc/ssh and rc.d/sshd tried to generate enough to feed to /dev/random, it doesn't At least in this case, this box, this os, this chipset. Only one I have see like this. Its a showstopper. Box won't start remote sshd, can only get at it via console. Not sure why the reluctance to even acknowledge that there could be a minor fix/patch that could prevent dead box and a ${miles=hundreds) trek to bring it back. if its never happened to you, then you may not have the exact combination I have. I can reproduce it 100% of the time, every time, all day long. Only two workarounds that I know of: #1, put in more than 3 lines of garbage on console. #2, put in more than 5 packets of garbage from ethernet (which, acknowledged: if hacker is trying to seed known data to this box, he could feed it known data) -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com scheidell@secnap.net / 1+561-999-5000, x 1131
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44D89958.2030305>