On Tue, May 24, 2016 at 1:23 PM, Leo Famulari <[email protected]> wrote: > On Tue, May 24, 2016 at 12:26:29PM -0400, Thompson, David wrote: >> On Tue, May 24, 2016 at 12:16 PM, Leo Famulari <[email protected]> wrote: >> > On Tue, May 24, 2016 at 09:05:21AM +0200, Taylan Ulrich Bayırlı/Kammer >> > wrote: >> >> Leo Famulari <[email protected]> writes: >> >> > Does anyone have advice about the service? Am I wrong that we need to >> >> > seed /dev/urandom to make it work properly? >> >> >> >> Yes, this is necessary under Linux if you want urandom to be random >> >> enough immediately after boot, and all the distros do it as part of >> >> their init. >> >> >> >> There's also an interesting implication here about the very first time >> >> you boot the system and don't have a urandom seed file from the last >> >> shutdown yet. I don't know how this is typically handled, given that >> >> for instance it's quite possible that a user might generate SSH keys >> >> shortly after their first boot of a system. >> > >> > When I boot a GuixSD VM for the first time [0], it requires me to dance >> > on the keyboard until it has collected ~200 bits of entropy. I assumed >> > this is to properly bootstrap the CSPRNG in /dev/urandom, but I'm not >> > sure. >> >> This is just an annoying feature of GNU lsh. I want to switch my >> machines to OpenSSH sometime, partly due to this. > > Well, it seems that this feature might be protecting us against using > weak SSH session keys on first boot, if it's doing what I think it's > doing...
It impedes automated provisioning of servers, which OpenSSH does not do. - Dave
