[systemd-devel] Delaying (SSH) key generation until the urandom pool is initialized
Cristian Rodríguez
crrodriguez at opensuse.org
Tue Apr 29 12:29:32 PDT 2014
El 29/04/14 14:43, Florian Weimer escribió:
> The message at
> <https://mail.gnome.org/archives/ostree-list/2014-February/msg00010.html> contains
> two boot traces from virtual machines which show that the SSH key is
> generated before the kernel pool is sufficiently seeded.
>
> Would it be possible using socket activation to create the listening
> socket for SSH, but block the actual service startup until the keys have
> been generated after sufficient entropy became available?
>
> What would you need on the kernel side to implement the waiting?
> (Textual comparison of a log message is only good for a prototype.)
The device should block but only until it is sufficiently
seeded..unfortunately I have seen it taking up a long time :-(
2014-04-29T12:13:24,000000-0400 --> system start
2014-04-29T12:14:51,007880-0400 --> random: nonblocking pool is initialized
In the systemd side we could avoid this by getting entropy from rdrand
if available.
Quite frankly, I think there is nothing we should do, this is something
that has to be fixed in the kernel side only.
--
Cristian
"I don't know the key to success, but the key to failure is trying to
please everybody."
More information about the systemd-devel
mailing list