Dropbear on ppc405

Miroslaw Dach miroslaw.dach at psi.ch
Thu Jun 21 23:08:13 WST 2007 

Hi Matt,

	Thank you for the detailed e-mail. I have done as you have 
suggested. I have modified in options.h the /dev/random to /dev/urandom.

Now I do not get anymore the message referring to the entropy problem.
I am even able now to run dropbear from inetd. This is just great.

I do not however understand why I get this message below:

Not forking?


Thank you very much for your help and explanation.

Best Regards

Mirek



On Thu, 21 Jun 2007, Matt Johnston wrote:

> On Wed, Jun 20, 2007 at 10:39:18AM +0200, Miroslaw Dach wrote:
> > I am wandering what is the meaning of : Not forking?
> 
> It's just an informational message that it isn't going to be
> backgrounded (ie, the -F flag). I'll make that message
> clearer.
> 
> > second time when I have started the dropbear I have got:
> > 
> > failed reading /etc/dropbear/dropbear_rsa_host_key disabling RSA
> > Warning: Reading the random source seems to have blocked.
> > If you experience problems, you probably need to find a better entropy 
> > source.
> 
> The problem is that your system doesn't have enough entropy
> to run. You can make it use /dev/urandom (which won't block)
> instead of /dev/random by changing options.h. 
> 
> I'm considering making /dev/urandom the default, however
> this could mask a security issue in embedded systems. If the
> random number generator is initialised to the same state at
> every startup in every device produced, then it could be
> feasible for an attacker to defeat SSH's cryptographic
> security.  /dev/random is usually overkill, but it does
> provide a guarantee that the system has sufficient entropy.
> Ideally the kernel would provide a '/dev/brandom' that
> blocks initially, but behaves the same as urandom (not
> depleting entropy counts) once sufficient entropy has been
> gathered.
> 
> See http://lxr.linux.no/source/drivers/char/random.c for
> some comments on storing entropy between reboots.
> 
> > Is it somehow possible to run dropbear as a daemon or via inetd?
> 
> You can run it as a daemon by default, the -E -F flags are
> just for debugging. You can also run it with -i via inetd.
> 
> Cheers,
> Matt
> 

-- 
=============================================================================
          Miroslaw Dach (Miroslaw.Dach at psi.ch) - SLS/Controls Group 
                PSI - Paul Scherrer Institut CH-5232 Villigen
=============================================================================

More information about the Dropbear mailing list