Steve Rikli <s...@genyosha.net> writes: > So I have a working setup if needed, but I think there's a disconnect > in how/where $random_file is set, or documentation, or both. From the > man page it seems like /etc/rc.d/random_seed is intended to source > /etc/security.conf but it's apparently not happening.
My quick reaction is that while getting entropy is security-relevant, this situation doesn't make sense. Reading code briefly, I think /etc/security is saving entropy daily so that if there is a reboot, there will be fresher bits. I obviously didn't write that code -- if I did you could tell because there's be comment about 5x as long as the code :-) But seriously it's trickier because /etc/rc.d/random_seed stores on shutdown, and by default nothing is set for security. I'd say: The location of the file should be defined in one place, and rc.conf is the right place. I'm unclear on whether we have not-set/fallback as a preferred pattern in rc.d, vs set-in-defaults/use-it. I suspect we can avoid this question. There is a separate config knob about whether /etc/security should save random_seed daily. Arguably a boolean variable in /etc/security.conf could enable that. If /etc/security wants to save random_seed, I think it should just "/etc/rc.d/random_seed stop", which is sort of abusive because it relies on knowing that stop is save not stop, but maybe we can add a "checkpoint" verb.
