Date: Tue, 08 Aug 2006 10:02:00 -0400 From: Michael Scheidell <scheidell@secnap.net> To: "R. B. Riddick" <arne_woerner@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: seeding dev/random in 5.5 Message-ID: <44D89958.2030305@secnap.net> In-Reply-To: <20060808135330.24187.qmail@web30310.mail.mud.yahoo.com> References: <20060808135330.24187.qmail@web30310.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
R. B. Riddick wrote:
>>
> I was under the impression, that
> kern.random.sys.harvest.ethernet
> is
> 1
> by default.
>
> That would mean, that ethernet traffic to that deeply buried box should feed
> that /dev/random until it is fat and round...
>
> Why do u believe, that /dev/random isnt seeded by networking?
>
>
because it isn't.
and pings arn' going to produce much random data.
it might feed it LATER, saving to /var/db/entropy, but when the system
is booted, and there are no keys in /etc/ssh and rc.d/sshd tried to
generate enough to feed to /dev/random, it doesn't
At least in this case, this box, this os, this chipset. Only one I have
see like this.
Its a showstopper. Box won't start remote sshd, can only get at it via
console.
Not sure why the reluctance to even acknowledge that there could be a
minor fix/patch that could prevent dead box and a ${miles=hundreds) trek
to bring it back.
if its never happened to you, then you may not have the exact
combination I have.
I can reproduce it 100% of the time, every time, all day long.
Only two workarounds that I know of:
#1, put in more than 3 lines of garbage on console.
#2, put in more than 5 packets of garbage from ethernet
(which, acknowledged: if hacker is trying to seed known data to this
box, he could feed it known data)
--
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
scheidell@secnap.net / 1+561-999-5000, x 1131
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44D89958.2030305>