[systemd-devel] Delaying (SSH) key generation until the urandom pool is initialized

Tom Gundersen teg at jklm.no
Wed Apr 30 01:23:14 PDT 2014


On 30 Apr 2014 09:21, "Florian Weimer" <fweimer at redhat.com> wrote:
>
> On 04/29/2014 09:30 PM, Tom Gundersen wrote:
>
>> You can easily start the sockets early, but make the daemon itself
>> wait for the key generation to finish.
>
>
> Thanks.  Can you provide an example?

I guess the last three files here would have the right dependencies:
https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/openssh

> (I don't want to change the daemon code.)

Your service needs to be socket activateable, which the default ssh daemon
is not, but the per-instance version is.

>> The only thing you then have to make sure is that the key generation
>> blocks until the non-blocking pool is initialized (I assume that is
>> what's being used?). For that I suppose you just need to make the
>> kernel block /dev/urandom until that's the case, I have seen this
>> being discussed, but don't know the status of those patches.
>
>
> Would it be possible to do the blocking in a separate service?  This way,
it would be more visible in diagnostic tools, and it's not necessary to
change all key generation code (including programs which just generation
session keys).
>
> I don't know if we can change /dev/urandom to block because that doesn't
look very backwards-compatible to me.

I have seen Ted Ts'o write about wanting this, but I don't know much more.
Alternatively the kernel could send us an event when it is ready, and we
can have a service waiting for this, which other services can order
against. Simply blocking in the kernel would be simpler though, if we can
pull it off without breaking things...

Cheers,

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140430/38d7e3e3/attachment.html>


More information about the systemd-devel mailing list