lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F21771F.5080107@immunix.com>
Date: Fri, 25 Jul 2003 11:29:51 -0700
From: Crispin Cowan <crispin@...unix.com>
To: Kent Borg <kentborg@...g.org>
Subject: Re: ssh host key generation in Red Hat Linux


Kent Borg wrote:

>I recently installed Red Hat Linux 9 and noticed on the first boot a
>message about generating ssh host keys.  Isn't that a dangerous thing
>to do on the first boot?  Where is the installation going to get
>enough good entropy so early in its life?
>
>Maybe the paranoid thing to do is, as part of configuring a machine,
>to regenerate those keys once user interaction (or other entropy
>source) has had time to really stir the Linux entropy pool.
>
SSH is likely getting it's entropy from /dev/random. The kernel will 
decide whether there is enough entropy in the /dev/random entropy pool, 
and block reads until the pool fills.

This pool, in turn, is going to have pleanty of entropy generated by 
timing jitter in disk I/O interrupts.

To experiment with this, run the command:

cat /dev/random | od -cx
  

It will dump for a while and then stop. Then type a key. Then move your 
mouse. Wait for a cron job to start up and watch what it does. Etc. etc.

Disclaimer: there is dispute in the crypto community about the hashing 
done in /dev/urandom (note the 'u') which never blocks. /dev/urandom 
just recycles the entropy pool with a PRNG, and people have variable 
faith in the quality of PRNG's.

Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ