Dropbear on ppc405

Matt Johnston matt at ucc.asn.au
Thu Jun 21 14:36:41 WST 2007


On Wed, Jun 20, 2007 at 10:39:18AM +0200, Miroslaw Dach wrote:
> I am wandering what is the meaning of : Not forking?

It's just an informational message that it isn't going to be
backgrounded (ie, the -F flag). I'll make that message
clearer.

> second time when I have started the dropbear I have got:
> 
> failed reading /etc/dropbear/dropbear_rsa_host_key disabling RSA
> Warning: Reading the random source seems to have blocked.
> If you experience problems, you probably need to find a better entropy 
> source.

The problem is that your system doesn't have enough entropy
to run. You can make it use /dev/urandom (which won't block)
instead of /dev/random by changing options.h. 

I'm considering making /dev/urandom the default, however
this could mask a security issue in embedded systems. If the
random number generator is initialised to the same state at
every startup in every device produced, then it could be
feasible for an attacker to defeat SSH's cryptographic
security.  /dev/random is usually overkill, but it does
provide a guarantee that the system has sufficient entropy.
Ideally the kernel would provide a '/dev/brandom' that
blocks initially, but behaves the same as urandom (not
depleting entropy counts) once sufficient entropy has been
gathered.

See http://lxr.linux.no/source/drivers/char/random.c for
some comments on storing entropy between reboots.

> Is it somehow possible to run dropbear as a daemon or via inetd?

You can run it as a daemon by default, the -E -F flags are
just for debugging. You can also run it with -i via inetd.

Cheers,
Matt


More information about the Dropbear mailing list