On 30 Apr 2014 09:21, "Florian Weimer" <<a href="mailto:fweimer@redhat.com">fweimer@redhat.com</a>> wrote: > > On 04/29/2014 09:30 PM, Tom Gundersen wrote: > >> You can easily start the sockets early, but make the daemon itself >> wait for the key generation to finish. > > > Thanks. Can you provide an example? I guess the last three files here would have the right dependencies: <a href="https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/openssh">https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/openssh</a> > (I don't want to change the daemon code.) Your service needs to be socket activateable, which the default ssh daemon is not, but the per-instance version is. >> The only thing you then have to make sure is that the key generation >> blocks until the non-blocking pool is initialized (I assume that is >> what's being used?). For that I suppose you just need to make the >> kernel block /dev/urandom until that's the case, I have seen this >> being discussed, but don't know the status of those patches. > > > Would it be possible to do the blocking in a separate service? This way, it would be more visible in diagnostic tools, and it's not necessary to change all key generation code (including programs which just generation session keys). > > I don't know if we can change /dev/urandom to block because that doesn't look very backwards-compatible to me. I have seen Ted Ts'o write about wanting this, but I don't know much more. Alternatively the kernel could send us an event when it is ready, and we can have a service waiting for this, which other services can order against. Simply blocking in the kernel would be simpler though, if we can pull it off without breaking things... Cheers, Tom