Hi Florian,
Let me see if I understand you... First, where did you get the logs
from: syslog or journald?
On Wed, 30 Apr 2014 14:02:11 +0200
Florian Weimer <fwei...@redhat.com> wrote:
> [...]
>
> Using /dev/urandom for key generation is fine once its pool is seeded.
Are you concerned that the PRNG is not seeded properly and hence the keys are
cryptographically weak?
I thought that openssh uses openssl which in turn has its own PRNG that is
seeded from /dev/random and /dev/urandom.
> Using existing key generation algorithms with /dev/random instead does
> not work because they consume too much entropy and can block for
> significantly more time than just a few minutes.
Entropy is not a problem if you run a daemon like haveged.
Indeed, archlinux iso images provide a service which generate 2048 bit gpg keys
(for package signing) on each boot with no delay (and gpg uses /dev/random).
Moreover, I run ssh-keygen on-boot to generate a volatile key for the root
account, and the order of services appears to be correct (taken from journal -o
verbose):
11:46:15.252713 CDT -- random: nonblocking pool is initialized
11:46:15.970371 CDT -- haveged is operational
11:46:17.576259 CDT -- ssh-keygen exits
Cheers,
L.
--
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4
C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
signature.asc
Description: PGP signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
