[systemd-devel] Delaying (SSH) key generation until the urandom pool is initialized

Tom Gundersen teg at jklm.no
Wed Apr 30 04:56:40 PDT 2014


On Wed, Apr 30, 2014 at 1:08 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Tue, 29.04.14 20:43, Florian Weimer (fweimer at redhat.com) wrote:
>
>> The message at <https://mail.gnome.org/archives/ostree-list/2014-February/msg00010.html>
>> contains two boot traces from virtual machines which show that the
>> SSH key is generated before the kernel pool is sufficiently seeded.
>
> Are you saying ssh reads from /dev/urandom rather than /dev/random, but
> it should be reading from the latter? WHat does that have to do with
> systemd?
>
>> Would it be possible using socket activation to create the listening
>> socket for SSH, but block the actual service startup until the keys
>> have been generated after sufficient entropy became available?
>>
>> What would you need on the kernel side to implement the waiting?
>> (Textual comparison of a log message is only good for a prototype.)
>
> THis already exists. It's called /dev/random...
>
> Not sure I understand what you are asking for...

I guess what he wants is to only read from /dev/urandom once it is
properly initialized, i.e., after the kernel logs:

[    4.249760] random: nonblocking pool is initialized

Using /dev/random would also do the trick, but I guess in almost all
cases that is completely unnecessary (assuming the pool has been
initialized that is).

-t


More information about the systemd-devel mailing list