Re: seeding dev/random in 5.5

On Wed, Aug 09, 2006 at 12:17:35AM -0700, R. B. Rid*** wrote:
--- Doug Barton <dougb@xxxxxxxxxxx> wrote:
The patches you sent to implement this option didn't come through to the
mailing list, could you resend them please? :)

Seriously though, a lot of people looked at this problem when yarrow was
introduced, and no solution became immediately apparent. So, if someone
wants to take a crack at implementing something, knock yourself out.

Since this is the security mailing list, I would like to direct the attention
on the following points:

* I see in the CD-procedure the problem, that a postman, who is more
sophisticated than in Leslie Nielsen's "Naked Gun 33 1/3" movie, might exchange
the media, so that u let ur Netherlandish install something u dont know and/or
like. Workaround: Do you use a checksum over the media (`md5 < /dev/acd0`) and
transmit those checksum on a different way (maybe email)?

* I received a private communication yesterday about this matter. But the list
did not. I will cite (not litterally) a little bit out of that message: Since
you do not know anything about the remotely created host-key, u cannot connect
safely to the freshly installed box, because: You do not even know the
signature of the new host-key, so that if u connect to the wrong box u would
not even known. Workaround: You could give all hosts the same well-known
host-key (via your install-image-CD) and then u could change the host-key in a
remotely controlled way individually and note down the signature? Maybe my
secret informer (lets call him Rasmus or RK) wants to come public... :-)

These are valid if probably overly paranoid points. :)

* But what if the postman (see first point) know already the host-key from
reading the CD? Then he could log in to ur boxes...

This isn't true. The host key lets you impersonate the host. It
does not do anything related to log in (unless you use host based
auth).

-- Brooks

Attachment: pgpj3fM6OCvh2.pgp
Description: PGP signature