Steve Comstock wrote:
William A. Rowe, Jr. wrote:
[snip]
Guessing there was no source of entropy. C.f. apr ./configure;
--with-egd[=DIR] use EGD-compatible socket
--with-devrandom[=DEV] use /dev/random or compatible [searches by
default]
I'm glad you suggested that. It gives me the opportunity to
ask a few questions:
* I've heard of entropy in the physics sense; I've seen
or two references to it in the software context; what
does "entropy" mean in the software context?
randomness that is not predicted, e.g. other than a pseudorandom sequence,
since these can be predicted.
* What creates entropy? What is the significance of your
suggested --with options?
In the pc sense, usually /dev/random or /dev/urandom, there are various
prngd alternatives. These work by deciding to watch sensors in the PC,
e.g. you might take a measurement of the cpu's temperature measured in
.001 degree (to .010), or the arrival timing of packets on the network,
etc. /dev/random does so for all bits of entropy, /dev/urandom does the
best it can with true bits of entropy, and makes up the difference with
pseduorandom data so that it won't block.
You must have one. bin/htpasswd was considered insecure, so it was
modified to grab a few mostly random bytes for seeding. (httpd project's
choice, not ours).
* What made you think, from my post, that there was no
source of entropy? What was your clue?
Someone else reported similar a while ago, and this parked itself away
in my brain for a month or two.
You mentioned apr_get_password - I had the same failure a couple of days
ago on HP/UX 11.11 (a new box) and realized that we hadn't installed the
HP/UX /dev/random, /dev/urandom drivers nor choose a source like prngd.
Seeing as I'm done supporting 11.00, HP's driver made more sense.
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I
