Dropbear on ppc405

Rob Landley rob at landley.net
Fri Jun 22 05:48:29 WST 2007 

On Thursday 21 June 2007 02:36:41 Matt Johnston wrote:
> On Wed, Jun 20, 2007 at 10:39:18AM +0200, Miroslaw Dach wrote:
> > I am wandering what is the meaning of : Not forking?
>
> It's just an informational message that it isn't going to be
> backgrounded (ie, the -F flag). I'll make that message
> clearer.
>
> > second time when I have started the dropbear I have got:
> >
> > failed reading /etc/dropbear/dropbear_rsa_host_key disabling RSA
> > Warning: Reading the random source seems to have blocked.
> > If you experience problems, you probably need to find a better entropy
> > source.
>
> The problem is that your system doesn't have enough entropy
> to run. You can make it use /dev/urandom (which won't block)
> instead of /dev/random by changing options.h.
>
> I'm considering making /dev/urandom the default, however
> this could mask a security issue in embedded systems. If the
> random number generator is initialised to the same state at
> every startup in every device produced, then it could be
> feasible for an attacker to defeat SSH's cryptographic
> security.  /dev/random is usually overkill, but it does
> provide a guarantee that the system has sufficient entropy.
> Ideally the kernel would provide a '/dev/brandom' that
> blocks initially, but behaves the same as urandom (not
> depleting entropy counts) once sufficient entropy has been
> gathered.

You can fake that in userspace.  You can do a non-blocking read 
from /dev/random to detect whether or not there's any entropy in there, and 
you can write it back if you get any so as not to deplete the pool.  Or 
simply do your very first (blocking) read from /dev/random and then do 
subsequent reads from /dev/urandom if that's the behavior you want.

> See http://lxr.linux.no/source/drivers/char/random.c for
> some comments on storing entropy between reboots.

On shutdown:
  dd if=/dev/urandom of=/tmp/.random bs=512 count=1

On startup:
  cat /tmp/.random > /dev/urandom
  rm /tmp/.random

> > Is it somehow possible to run dropbear as a daemon or via inetd?
>
> You can run it as a daemon by default, the -E -F flags are
> just for debugging. You can also run it with -i via inetd.
>
> Cheers,
> Matt

Rob
-- 
"One of my most productive days was throwing away 1000 lines of code."
  - Ken Thompson.

More information about the Dropbear mailing list