On Wed, Dec 2, 2015 at 10:25 PM, Josh Datko <jbda...@gmail.com> wrote: > On Wed, 2015-12-02 at 19:41 -0600, Robert Nelson wrote: >> On Wed, Dec 2, 2015 at 7:24 PM, Josh Datko <jbda...@gmail.com> wrote: > >> #Regenerate ssh host keys >> if [ -f /etc/ssh/ssh.regenerate ] ; then >> rm -rf /etc/ssh/ssh_host_* || true >> dpkg-reconfigure openssh-server >> sync >> if [ -s /etc/ssh/ssh_host_ecdsa_key.pub ] ; then >> rm -f /etc/ssh/ssh.regenerate || true >> sync >> fi >> if [ -f /etc/init.d/ssh ] ; then >> /etc/init.d/ssh restart >> fi >> fi >> >> https://github.com/RobertCNelson/omap-image-builder/blob/master/target/init_scripts/generic-debian.sh#L41-L53 >> > > So, it's a bit late, and I'm a bit grogy but I think this is where the > issue might be. It's not good enough just to call regenerate if the > entropy pool isn't properly seeded, otherwise the key generated will be > predictable. > > And while the hwrng is enable I don't think it actively contributes to > the kernel entropy pool. I *thought* that is where there is the user > space rngd daemon, but again... tired... > > The issue is the creation of /var/lib/systemd/random-seed, which > could/should be done by dd'ing from /dev/hwrng to this file. If software > creates this, then it will be predictable.
and i'm not an expert either, so with 4.1.13-ti-r34: debian@test-bbb-3:~$ uname -r 4.1.13-ti-r34 debian@test-bbb-3:~$ journalctl | grep entropy Dec 02 04:15:42 test-bbb-3 kernel: random: systemd-udevd urandom read with 10 bits of entropy available That's before the init script runs... >> So ignoring the root login over 22 with no password... or >> nodejs/bonescript/etc.. At least the key is safe. ;) > > touche, we are plugging a leak while water is pouring over our heads :) > I still advocate removing the the no password root login thing. Regards, -- Robert Nelson https://rcn-ee.com/ -- For more options, visit http://beagleboard.org/discuss --- You received this message because you are subscribed to the Google Groups "BeagleBoard" group. To unsubscribe from this group and stop receiving emails from it, send an email to beagleboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.