Re: seeding dev/random in 5.5

R. B. Rid*** wrote:
--- Michael Scheidell <scheidell@xxxxxxxxxx> wrote:

R. B. Rid*** wrote:

Why do u believe, that /dev/random isnt seeded by networking?



because it isn't.
and pings arn' going to produce much random data.


Hmm... Interesting...


it might feed it LATER, saving to /var/db/entropy, but when the system
is booted, and there are no keys in /etc/ssh and rc.d/sshd tried to
generate enough to feed to /dev/random, it doesn't


Hopefully... I was under the impression, that new "random" events are gathered
continuously in order to create an always good source of random ...


yes, maybe, AFTER it boots, and during the day.

I can reproduce it 100% of the time, every time, all day long.


OK... But I still dont understand why that is... Does it have an ethernet NIC?
Is that sysctl (kern.random.sys.harvest.ethernet) set to 1 before rc.d/sshd
starts?


yes, has nic card (how else would I be able to ssh into it later ;-)
no, rc.d/sshd doesn't touch that sysctl.

Only two workarounds that I know of:
#1, put in more than 3 lines of garbage on console.
#2, put in more than 5 packets of garbage from ethernet
(which, acknowledged: if hacker is trying to seed known data to this
box, he could feed it known data)


If I may add:
I know another workaround: Create the key files during the install process,
which has to be done quite handish anyway, if u do it on a far away deeply
buried box... Or not?


This would affect the generic stock 5.5 install disk as well (it doesn't
create new keys when it builds a virgin hard disk)
If a user just hits return, there is no error message, no indication
that /dev/random wasn't seeded.

We have a bootable CD rom, has a generic boot/network/vpn/ and dumpfiles
for virgin install.
cd rom uses restore to make new HD.
Id rather like to have different keys on different boxes. ssh client
complains when it sees the same keys for several different ip addresses.


-Arne


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com




--
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
scheidell@xxxxxxxxxx / 1+561-999-5000, x 1131

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"