<p dir="ltr"><br>
On 30 Apr 2014 09:21, "Florian Weimer" <<a href="mailto:fweimer@redhat.com">fweimer@redhat.com</a>> wrote:<br>
><br>
> On 04/29/2014 09:30 PM, Tom Gundersen wrote:<br>
><br>
>> You can easily start the sockets early, but make the daemon itself<br>
>> wait for the key generation to finish.<br>
><br>
><br>
> Thanks. Can you provide an example?</p>
<p dir="ltr">I guess the last three files here would have the right dependencies: <br>
<a href="https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/openssh">https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/openssh</a></p>
<p dir="ltr">> (I don't want to change the daemon code.)</p>
<p dir="ltr">Your service needs to be socket activateable, which the default ssh daemon is not, but the per-instance version is.</p>
<p dir="ltr">>> The only thing you then have to make sure is that the key generation<br>
>> blocks until the non-blocking pool is initialized (I assume that is<br>
>> what's being used?). For that I suppose you just need to make the<br>
>> kernel block /dev/urandom until that's the case, I have seen this<br>
>> being discussed, but don't know the status of those patches.<br>
><br>
><br>
> Would it be possible to do the blocking in a separate service? This way, it would be more visible in diagnostic tools, and it's not necessary to change all key generation code (including programs which just generation session keys).<br>
><br>
> I don't know if we can change /dev/urandom to block because that doesn't look very backwards-compatible to me.</p>
<p dir="ltr">I have seen Ted Ts'o write about wanting this, but I don't know much more. Alternatively the kernel could send us an event when it is ready, and we can have a service waiting for this, which other services can order against. Simply blocking in the kernel would be simpler though, if we can pull it off without breaking things...</p>
<p dir="ltr">Cheers,</p>
<p dir="ltr">Tom<br>
</p>