Re: Weird pop3d hang problem (fd blocked?!)
On Thu, 5 Jun 2003, John Alton Tamplin wrote: And in particular you may not want to do this if you are generating RSA private keys or equivalent on a machine that anyone else may have shell access to. Yes in theory, Manual The /dev/random device is suitable for use when very high quality randomness is desired (e.g. for key generation), as it will only return a maximum of the number of bits of randomness (as estimated by the random number generator) contained in the entropy pool. The /dev/urandom device does not have this limit, and will return as many bytes as are requested. As more and more random bytes are requested without giving time for the entropy pool to recharge, this will result in lower quality random numbers. For many applications, however, this is acceptable. the returned values are theoretically vulnerable to aryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current non-classified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead. /Manual See word *theoretically* , didn't urandom gather some data from network-interfaces too so it may be affected. Nobody knows when it takes data from device nr X. /dev/urandom appeared in solaris since version8 (patch). random's device-number is 8 while urandom's is 9. What about if there is config-option for this device? Best regards, ++Titus | Veli Pirttila
Re: Weird pop3d hang problem (fd blocked?!)
foobar wrote: See word *theoretically* , didn't urandom gather some data from network-interfaces too so it may be affected. Nobody knows when it takes data from device nr X. My point was simply before you decide to link random to urandom for the sake of Cyrus, you should consider the impact that will have on other applications that need random numbers. If others have access to your machine and you are generating private keys, they could exhaust all the entropy from /dev/random, read enough of /dev/urandom to determine the position in the sequence, and then know what random numbers your key generation code used. Granted, it is far-fetched and a lot of work, but when you are building a key that will be used for years and could compromise other keys if revealed, it pays to be safe. /dev/urandom appeared in solaris since version8 (patch). random's device-number is 8 while urandom's is 9. What about if there is config-option for this device? When you build SASL, just define -DDEV_RANDOM=/dev/urandom. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Re: Weird pop3d hang problem (fd blocked?!)
On Thu, Jun 05, 2003 at 11:14:47AM +1000, Stewart wrote: Thanks for your reply Patrick (all 8 of them :) but i was hoping there'd be a fix that didn't involve compiling.. this is a production server installed from a debian pkg so compilation isn't really an option at this stage.. Last time I ran out of entropy, I had to log in and do a ls -R / to get the password prompt :-) I believe moving the mouse might also work, but as said box has no keyboard/mouse/monitor, and as collection from network packet timestamps is now deemed unsafe as the network traffic may be styled by an attacker(!) the number of sources of entropy are sadly low - time of disk access when most data remains in NetBSD's Unified Buffer Cache (that's why the ls worked)? So, I went for the recompile... Maybe you have a Debian bell/whistle for this instead? Good luck, Patrick
Re: Weird pop3d hang problem (fd blocked?!)
On Linux, there is the i810_rng driver that can gather entropy from some Intel chipset hardware random number generator. Debian have a package to use this driver as feed for the kernel entropy pool. My 0.02$ On Thu, Jun 05, 2003 at 07:03:31PM +0100, Patrick Welche wrote: On Thu, Jun 05, 2003 at 11:14:47AM +1000, Stewart wrote: Thanks for your reply Patrick (all 8 of them :) but i was hoping there'd be a fix that didn't involve compiling.. this is a production server installed from a debian pkg so compilation isn't really an option at this stage.. Last time I ran out of entropy, I had to log in and do a ls -R / to get the password prompt :-) I believe moving the mouse might also work, but as said box has no keyboard/mouse/monitor, and as collection from network packet timestamps is now deemed unsafe as the network traffic may be styled by an attacker(!) the number of sources of entropy are sadly low - time of disk access when most data remains in NetBSD's Unified Buffer Cache (that's why the ls worked)? So, I went for the recompile... Maybe you have a Debian bell/whistle for this instead? Good luck, Patrick -- Etienne GoyerLinux Québec Technologies Inc. http://www.LinuxQuebec.com [EMAIL PROTECTED]
Re: Weird pop3d hang problem (fd blocked?!)
On Thu, 5 Jun 2003, Stewart wrote: Thanks for your reply Patrick (all 8 of them :) but i was hoping there'd be a fix that didn't involve compiling.. this is a production server installed from a debian pkg so compilation isn't really an option at this stage.. You can symlink /dev/random to point at /dev/urandom, but keep in mind that will affect all applications, not just cyrus. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Weird pop3d hang problem (fd blocked?!)
Rob Siemborski wrote: You can symlink /dev/random to point at /dev/urandom, but keep in mind that will affect all applications, not just cyrus. And in particular you may not want to do this if you are generating RSA private keys or equivalent on a machine that anyone else may have shell access to. I would think that whoever packaged it chose poorly. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Re: Weird pop3d hang problem (fd blocked?!)
Thanks for your reply Patrick (all 8 of them :) but i was hoping there'd be a fix that didn't involve compiling.. this is a production server installed from a debian pkg so compilation isn't really an option at this stage.. cheers, ..S. On Thursday, June 5, 2003, at 02:43 AM, Patrick Welche wrote: On Wed, Jun 04, 2003 at 04:41:59PM +1000, Stewart wrote: On Saturday, May 31, 2003, at 01:33 AM, Ken Murchison wrote: foobar wrote: No, I didn't check if I was out of entropy (random). This is most likely your problem, since the pop3d banner includes a random challenge for APOP. that sounds very much like what has started happening to me this afternoon. i'm sorry i don't know how to reset my entropy :-) can someone post the fix? (cyrus 2.1 debian ppc) cf. the configure option: --with-devrandom=PATH set the path to /dev/random /dev/random so you could --with-devrandom=/dev/urandom as it just gives out pseudo-random numbers once the entropy runs out rather than block. Cheers, Patrick
Re: Weird pop3d hang problem (fd blocked?!)
On Wed, Jun 04, 2003 at 04:41:59PM +1000, Stewart wrote: On Saturday, May 31, 2003, at 01:33 AM, Ken Murchison wrote: foobar wrote: No, I didn't check if I was out of entropy (random). This is most likely your problem, since the pop3d banner includes a random challenge for APOP. that sounds very much like what has started happening to me this afternoon. i'm sorry i don't know how to reset my entropy :-) can someone post the fix? (cyrus 2.1 debian ppc) cf. the configure option: --with-devrandom=PATH set the path to /dev/random /dev/random so you could --with-devrandom=/dev/urandom as it just gives out pseudo-random numbers once the entropy runs out rather than block. Cheers, Patrick
Re: Weird pop3d hang problem (fd blocked?!)
On Saturday, May 31, 2003, at 01:33 AM, Ken Murchison wrote: foobar wrote: No, I didn't check if I was out of entropy (random). This is most likely your problem, since the pop3d banner includes a random challenge for APOP. that sounds very much like what has started happening to me this afternoon. i'm sorry i don't know how to reset my entropy :-) can someone post the fix? (cyrus 2.1 debian ppc) ..S.
Weird pop3d hang problem (fd blocked?!)
Hi, Today our mailserver jammed all its pop3d processes and trace said read(10, and it was blocking there. imap-processes were served fine and db-files were ok (DB4). Then I restarted all processes and checked db-files and tried to debug. Then I was desparate and I restarted whole system and after init everything was fine again (pop3 was served without that jam.) [EMAIL PROTECTED] titus ~% telnet 0 110 Trying 0.0.0.0... Connected to 0. * Hanging here (waiting banner) * Escape character is '^]'. ^] telnet quit Connection closed. ^ No banner even. Imap(s) (working fine, banner prints) Escape character is '^]'. * OK foo Cyrus IMAP4 v2.1.11 server ready Authentication and all operations worked fine on imap's side. I just wonder what caused this kind block in pop3-processes or what _could_ cause this kind problem.. Kernel: 2.4.18-14 / GNU Linux I am using PAM (via saslauthd) for pop and imap. No, I didn't check if I was out of entropy (random). Log (syslog) said nothing what caused this problem and didn't even give any hint. Best regards, ++Titus
Re: Weird pop3d hang problem (fd blocked?!)
foobar wrote: Hi, Today our mailserver jammed all its pop3d processes and trace said read(10, and it was blocking there. imap-processes were served fine and db-files were ok (DB4). Then I restarted all processes and checked db-files and tried to debug. Then I was desparate and I restarted whole system and after init everything was fine again (pop3 was served without that jam.) [EMAIL PROTECTED] titus ~% telnet 0 110 Trying 0.0.0.0... Connected to 0. * Hanging here (waiting banner) * Escape character is '^]'. ^] telnet quit Connection closed. ^ No banner even. Imap(s) (working fine, banner prints) Escape character is '^]'. * OK foo Cyrus IMAP4 v2.1.11 server ready Authentication and all operations worked fine on imap's side. I just wonder what caused this kind block in pop3-processes or what _could_ cause this kind problem.. Kernel: 2.4.18-14 / GNU Linux I am using PAM (via saslauthd) for pop and imap. No, I didn't check if I was out of entropy (random). This is most likely your problem, since the pop3d banner includes a random challenge for APOP. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp