From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#23605: /dev/urandom not seeded across reboots Date: Tue, 24 May 2016 13:23:29 -0400 Message-ID: <20160524172329.GA5216@jasmine> References: <20160523175832.GA10646@jasmine> <87shx8j5qm.fsf@T420.taylan> <20160524161617.GC29516@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44692) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b5G3u-0006Hf-Bg for bug-guix@gnu.org; Tue, 24 May 2016 13:24:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b5G3p-0000mf-4f for bug-guix@gnu.org; Tue, 24 May 2016 13:24:09 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:52527) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b5G3m-0000lL-91 for bug-guix@gnu.org; Tue, 24 May 2016 13:24:05 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1b5G3m-00084u-5e for bug-guix@gnu.org; Tue, 24 May 2016 13:24:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: "Thompson, David" Cc: 23605@debbugs.gnu.org On Tue, May 24, 2016 at 12:26:29PM -0400, Thompson, David wrote: > On Tue, May 24, 2016 at 12:16 PM, Leo Famulari wrote: > > On Tue, May 24, 2016 at 09:05:21AM +0200, Taylan Ulrich Bayırlı/Kammer wrote: > >> Leo Famulari writes: > >> > Does anyone have advice about the service? Am I wrong that we need to > >> > seed /dev/urandom to make it work properly? > >> > >> Yes, this is necessary under Linux if you want urandom to be random > >> enough immediately after boot, and all the distros do it as part of > >> their init. > >> > >> There's also an interesting implication here about the very first time > >> you boot the system and don't have a urandom seed file from the last > >> shutdown yet. I don't know how this is typically handled, given that > >> for instance it's quite possible that a user might generate SSH keys > >> shortly after their first boot of a system. > > > > When I boot a GuixSD VM for the first time [0], it requires me to dance > > on the keyboard until it has collected ~200 bits of entropy. I assumed > > this is to properly bootstrap the CSPRNG in /dev/urandom, but I'm not > > sure. > > This is just an annoying feature of GNU lsh. I want to switch my > machines to OpenSSH sometime, partly due to this. Well, it seems that this feature might be protecting us against using weak SSH session keys on first boot, if it's doing what I think it's doing...