[Bug 1098299] Re: entropy pool should be seeded earlier in boot process
John Denker
lp at av8n.com
Wed Nov 6 22:23:45 UTC 2013
I strongly agree with the main idea here:
"entropy pool should be seeded earlier in boot process"
Here are some numbers that quantify the magnitude
of the problem:
prior
startup script #bits
(mountall) 18816
(mounted-run) 21888
(sshd server) 35616
(network-interface : lo) 55968
(network-interface : eth0) 68832
(urandom) 79168
For details on what these numbers mean, see
http://www.av8n.com/computer/htm/secure-random.htm#sec-discuss
Steve Langasek (vorlon) wrote on 2013-05-17:
> I think we do want to translate /etc/init.d/urandom to an upstart job
Agreed! That will help a lot.
> not sure at present how to write it correctly
It's not hard. A very specific suggestion for how it might be done can
be found here:
http://www.av8n.com/cgit/cgit.cgi/init-urandom/
1) Add init/urandom.conf
2) Add init/urandom-save.conf
3) Remove all references to init.d/urandom from rc?.d/
4) Optionally add a factor of "urandom" to the startup conditions
in init/ssh.conf. This will make init.ssh.conf correspond more
closely to the old sysvinit init.d/ssh
This (a) ports the urandom stuff to upstart, (b) initializes the PRNG
much earlier, and (c) does a better job of refreshing the stored
seed.
I am under no illusions that this initializes the PRNG early enough
in absolute terms ... but it is very very much earlier in relative
terms. It is a big step in the right direction.
In any case, porting it to upstart also improves things in a number
of ways.
Let me know if you have questions.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1098299
Title:
entropy pool should be seeded earlier in boot process
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/installation-report/+bug/1098299/+subscriptions
More information about the Ubuntu-server-bugs
mailing list