On 2013-May-31 12:01:02 +0200, Dirk-Willem van Gulik <di...@webweaving.org> wrote: > Thanks to a badly-written mngt script - >we've rencently noticed a freshly generated ssh-key on a new AWS >instances to be indentical to one seen a few months prior. ... >I am surmising that perhaps the (micro-T) images do not have that >much entropy on startup.
This is a fairly common issue - typically, the first thing a newly installed system does immediately after a boot (when it has the least entropy available) is to generate its SSH host keys. >Now we happen to have very easy access to blocks of 1024bits of >randomness from a remote server in already nicely PKI signed packages >(as it is needed later for something else). Obtaining entropy from another machine is an option but you need to ensure that the source is trustworthy, you only use the entropy once and that the entropy can't be intercepted by anyone else. >Or does this cause a loss/reset of all entropy gathered by the hardware sofar ? As others have indicated, no. Writing to /dev/random can't reduce the available entropy. > Or is there a cleaner way to add a additional seed as a one-off with >disturbing as little as possible (in the few seconds just after the >network is brought up). If this needs to be done automatically, not really. If there's a person available, you could use the "please type a screen full of random junk" approach and feed both the inter-character timings (which should be done automatically via IRQ harvesting) and junk into /dev/random. -- Peter Jeremy
pgpeZ4geVWmT_.pgp
Description: PGP signature
