On Wed, 2015-12-02 at 19:41 -0600, Robert Nelson wrote: > On Wed, Dec 2, 2015 at 7:24 PM, Josh Datko <jbda...@gmail.com> wrote:
> #Regenerate ssh host keys > if [ -f /etc/ssh/ssh.regenerate ] ; then > rm -rf /etc/ssh/ssh_host_* || true > dpkg-reconfigure openssh-server > sync > if [ -s /etc/ssh/ssh_host_ecdsa_key.pub ] ; then > rm -f /etc/ssh/ssh.regenerate || true > sync > fi > if [ -f /etc/init.d/ssh ] ; then > /etc/init.d/ssh restart > fi > fi > > https://github.com/RobertCNelson/omap-image-builder/blob/master/target/init_scripts/generic-debian.sh#L41-L53 > So, it's a bit late, and I'm a bit grogy but I think this is where the issue might be. It's not good enough just to call regenerate if the entropy pool isn't properly seeded, otherwise the key generated will be predictable. And while the hwrng is enable I don't think it actively contributes to the kernel entropy pool. I *thought* that is where there is the user space rngd daemon, but again... tired... The issue is the creation of /var/lib/systemd/random-seed, which could/should be done by dd'ing from /dev/hwrng to this file. If software creates this, then it will be predictable. > So ignoring the root login over 22 with no password... or > nodejs/bonescript/etc.. At least the key is safe. ;) touche, we are plugging a leak while water is pouring over our heads :) I still advocate removing the the no password root login thing. -- For more options, visit http://beagleboard.org/discuss --- You received this message because you are subscribed to the Google Groups "BeagleBoard" group. To unsubscribe from this group and stop receiving emails from it, send an email to beagleboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.