Dropbear on ppc405
Miroslaw Dach
miroslaw.dach at psi.ch
Thu Jun 21 23:08:13 WST 2007
Hi Matt,
Thank you for the detailed e-mail. I have done as you have
suggested. I have modified in options.h the /dev/random to /dev/urandom.
Now I do not get anymore the message referring to the entropy problem.
I am even able now to run dropbear from inetd. This is just great.
I do not however understand why I get this message below:
Not forking?
Thank you very much for your help and explanation.
Best Regards
Mirek
On Thu, 21 Jun 2007, Matt Johnston wrote:
> On Wed, Jun 20, 2007 at 10:39:18AM +0200, Miroslaw Dach wrote:
> > I am wandering what is the meaning of : Not forking?
>
> It's just an informational message that it isn't going to be
> backgrounded (ie, the -F flag). I'll make that message
> clearer.
>
> > second time when I have started the dropbear I have got:
> >
> > failed reading /etc/dropbear/dropbear_rsa_host_key disabling RSA
> > Warning: Reading the random source seems to have blocked.
> > If you experience problems, you probably need to find a better entropy
> > source.
>
> The problem is that your system doesn't have enough entropy
> to run. You can make it use /dev/urandom (which won't block)
> instead of /dev/random by changing options.h.
>
> I'm considering making /dev/urandom the default, however
> this could mask a security issue in embedded systems. If the
> random number generator is initialised to the same state at
> every startup in every device produced, then it could be
> feasible for an attacker to defeat SSH's cryptographic
> security. /dev/random is usually overkill, but it does
> provide a guarantee that the system has sufficient entropy.
> Ideally the kernel would provide a '/dev/brandom' that
> blocks initially, but behaves the same as urandom (not
> depleting entropy counts) once sufficient entropy has been
> gathered.
>
> See http://lxr.linux.no/source/drivers/char/random.c for
> some comments on storing entropy between reboots.
>
> > Is it somehow possible to run dropbear as a daemon or via inetd?
>
> You can run it as a daemon by default, the -E -F flags are
> just for debugging. You can also run it with -i via inetd.
>
> Cheers,
> Matt
>
--
=============================================================================
Miroslaw Dach (Miroslaw.Dach at psi.ch) - SLS/Controls Group
PSI - Paul Scherrer Institut CH-5232 Villigen
=============================================================================
More information about the Dropbear
mailing list