seeding dev/random in 5.5
Michael Scheidell
scheidell at secnap.net
Tue Aug 8 14:02:01 UTC 2006
R. B. Riddick wrote:
>>
> I was under the impression, that
> kern.random.sys.harvest.ethernet
> is
> 1
> by default.
>
> That would mean, that ethernet traffic to that deeply buried box should feed
> that /dev/random until it is fat and round...
>
> Why do u believe, that /dev/random isnt seeded by networking?
>
>
because it isn't.
and pings arn' going to produce much random data.
it might feed it LATER, saving to /var/db/entropy, but when the system
is booted, and there are no keys in /etc/ssh and rc.d/sshd tried to
generate enough to feed to /dev/random, it doesn't
At least in this case, this box, this os, this chipset. Only one I have
see like this.
Its a showstopper. Box won't start remote sshd, can only get at it via
console.
Not sure why the reluctance to even acknowledge that there could be a
minor fix/patch that could prevent dead box and a ${miles=hundreds) trek
to bring it back.
if its never happened to you, then you may not have the exact
combination I have.
I can reproduce it 100% of the time, every time, all day long.
Only two workarounds that I know of:
#1, put in more than 3 lines of garbage on console.
#2, put in more than 5 packets of garbage from ethernet
(which, acknowledged: if hacker is trying to seed known data to this
box, he could feed it known data)
--
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
scheidell at secnap.net / 1+561-999-5000, x 1131
More information about the freebsd-security
mailing list