Le 21/12/2013 16:06, Emmanuel Dreyfus a écrit :
I have that messages on an i386 6.1.2 Xen machine:
cprng cpu0-short: WARNING pseudorandom rekeying.
cprng 47814d1: WARNING pseudorandom rekeying.
cprng sysctl: WARNING pseudorandom rekeying.
What does it means? I just upgraded the kernel to 6.1.2 to regenerate
weak RSA keys generated on 6.0. The warning suggests pseudorandom
generator could be kinked. Is it safe to generate keys?
I suppose you get these messages at boot from a domU.
It means that the RNG was seeded with a (supposedly) bad state, e.g.
with not enough random bits to be deemed safe.
It is generally not safe to keep long term keys generated during that
state. The output of "rndctl -s" can show whether the situation is
tolerable and evolving (generally when the rc script load the
random_seed file).
IMHO long term keys should not be created directly from a domU, let
alone a VM; running a "dd if=/dev/random count=16 bs=1" can almost hang
indefinetly in a domU, or (even worse) output not-so-random bits with
other kind of VM subsystems (KVM without virtio-rng drivers). On a
generic host it should return almost instantly.
--
Jean-Yves Migeon
