[systemd-devel] Delaying (SSH) key generation until the urandom pool is initialized
Tom Gundersen
teg at jklm.no
Tue Apr 29 12:30:51 PDT 2014
On Tue, Apr 29, 2014 at 8:43 PM, Florian Weimer <fweimer at redhat.com> wrote:
> The message at
> <https://mail.gnome.org/archives/ostree-list/2014-February/msg00010.html>
> contains two boot traces from virtual machines which show that the SSH key
> is generated before the kernel pool is sufficiently seeded.
>
> Would it be possible using socket activation to create the listening socket
> for SSH, but block the actual service startup until the keys have been
> generated after sufficient entropy became available?
>
> What would you need on the kernel side to implement the waiting? (Textual
> comparison of a log message is only good for a prototype.)
You can easily start the sockets early, but make the daemon itself
wait for the key generation to finish.
The only thing you then have to make sure is that the key generation
blocks until the non-blocking pool is initialized (I assume that is
what's being used?). For that I suppose you just need to make the
kernel block /dev/urandom until that's the case, I have seen this
being discussed, but don't know the status of those patches.
Cheers,
Tom
More information about the systemd-devel
mailing list