Re: svn commit: r239569 - head/etc/rc.d
(shameless thread hijacking)
Speaking of rc.d and entropy, is the following code in /etc/rc.d/sshd
really necessary?
seeded=3D`sysctl -n kern.random.sys.seeded 2>/dev/null`
if [ "x${seeded}" !=3D "x" ] && [ ${seeded} -eq 0 ] ; then
warn "Setting entropy source to blocking mode."
echo "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D"
echo "Type a full screenful of random junk to unblock"
echo "it and remember to finish with <enter>. This will"
echo "timeout in ${timeout} seconds, but waiting for"
echo "the timeout without typing junk may make the"
echo "entropy source deliver predictable output."
echo ""
echo "Just hit <enter> for fast+insecure startup."
echo "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D"
sysctl kern.random.sys.seeded=3D0 2>/dev/null
read -t ${timeout} junk
echo "${junk}" `sysctl -a` `date` > /dev/random
fi
Considering, among other factors, how late in the boot sshd actually
starts, and how much disk and / or network activity has occurred by that
point.
I don't believe this was how it was initially supposed to work, by the
way. The original code *intentionally* always blocked, but it was
slightly obfuscated. Two years after it was written, someone who
misunderstood it submitted a PR, and several other someones who didn't
understand it either came up with an incorrect fix and committed it.
Neither Mark, who wrote the original code, nor I, who was (and still am)
the OpenSSH maintainer, were consulted.
BTW, it might be a good idea to run "/etc/rc.d/sshd keygen" from the
installer if sshd is enabled during installation.
DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 35 之 145 篇):