I strongly agree with the main idea here:
"entropy pool should be seeded earlier in boot process"
Here are some numbers that quantify the magnitude
of the problem: prior
startup script #bits
(mountall) 18816 (mounted-run) 21888
(sshd server) 35616 (network-interface : lo) 55968 (network-interface : eth0) 68832
(urandom) 79168
1) Add init/urandom.conf
2) Add init/urandom-save.conf
3) Remove all references to init.d/urandom from rc?.d/
4) Optionally add a factor of "urandom" to the startup conditions
in init/ssh.conf. This will make init.ssh.conf correspond more
closely to the old sysvinit init.d/ssh
This (a) ports the urandom stuff to upstart, (b) initializes the PRNG
much earlier, and (c) does a better job of refreshing the stored
seed.
I am under no illusions that this initializes the PRNG early enough
in absolute terms ... but it is very very much earlier in relative
terms. It is a big step in the right direction.
In any case, porting it to upstart also improves things in a number
of ways.
I strongly agree with the main idea here:
"entropy pool should be seeded earlier in boot process"
Here are some numbers that quantify the magnitude
prior
(mounted- run) 21888
(network- interface : lo) 55968
(network- interface : eth0) 68832
of the problem:
startup script #bits
(mountall) 18816
(sshd server) 35616
(urandom) 79168
For details on what these numbers mean, see www.av8n. com/computer/ htm/secure- random. htm#sec- discuss
http://
Steve Langasek (vorlon) wrote on 2013-05-17:
> I think we do want to translate /etc/init.d/urandom to an upstart job
Agreed! That will help a lot.
> not sure at present how to write it correctly
It's not hard. A very specific suggestion for how it might be done can www.av8n. com/cgit/ cgit.cgi/ init-urandom/
be found here:
http://
1) Add init/urandom.conf save.conf
2) Add init/urandom-
3) Remove all references to init.d/urandom from rc?.d/
4) Optionally add a factor of "urandom" to the startup conditions
in init/ssh.conf. This will make init.ssh.conf correspond more
closely to the old sysvinit init.d/ssh
This (a) ports the urandom stuff to upstart, (b) initializes the PRNG
much earlier, and (c) does a better job of refreshing the stored
seed.
I am under no illusions that this initializes the PRNG early enough
in absolute terms ... but it is very very much earlier in relative
terms. It is a big step in the right direction.
In any case, porting it to upstart also improves things in a number
of ways.
Let me know if you have questions.