[systemd-devel] Delaying (SSH) key generation until the urandom pool is initialized
Florian Weimer
fweimer at redhat.com
Wed Apr 30 00:21:26 PDT 2014
On 04/29/2014 09:30 PM, Tom Gundersen wrote:
> You can easily start the sockets early, but make the daemon itself
> wait for the key generation to finish.
Thanks. Can you provide an example?
(I don't want to change the daemon code.)
> The only thing you then have to make sure is that the key generation
> blocks until the non-blocking pool is initialized (I assume that is
> what's being used?). For that I suppose you just need to make the
> kernel block /dev/urandom until that's the case, I have seen this
> being discussed, but don't know the status of those patches.
Would it be possible to do the blocking in a separate service? This
way, it would be more visible in diagnostic tools, and it's not
necessary to change all key generation code (including programs which
just generation session keys).
I don't know if we can change /dev/urandom to block because that doesn't
look very backwards-compatible to me.
--
Florian Weimer / Red Hat Product Security Team
More information about the systemd-devel
mailing list