| |||||||||||||
On entropy and randomnessOn entropy and randomnessPosted Dec 13, 2007 19:01 UTC (Thu) by adamgundy (subscriber, #5418)Parent article: On entropy and randomness
we've hit this problem at the company I work for with cyrus-popd, depleting the entropy pool and hanging due to a bunch of SSL connections. the 'nasty' solution was to install the 'rngd' daemon pointed at /dev/urandom as it's data source.. this essentially loops data back from urandom into the 'real' random pool when its entropy level gets low. the quality of the random numbers is obviously reduced, but it seems to work well.. I suspect many SSL using servers out there hit this issue more frequently than they realize - once we'd spotted it on one server we realized others (openvpn, https) etc were also occasionally blocked on /dev/random for no good reason...
(Log in to post comments)
On entropy and randomness Posted Dec 14, 2007 2:06 UTC (Fri) by cpeterso (guest, #305) [Link] Servers can easily be starved for entropy since they don't get many keyboard, mouse, or disk interrupts. I think there are some kernel patches or optional build configs to feed network I/O into the entropy pool, but I think this is off by default because of tinfoil hats.
On entropy and randomness Posted Dec 14, 2007 15:24 UTC (Fri) by adamgundy (subscriber, #5418) [Link] yeah, we've seen those. the problem is that we intentionally try to stick with the distrib kernel so we don't end up recompiling kernels every time there's a new security patch... the alternatives are to compile our own cyrus with the magic flag telling it to use /dev/urandom (same problem as above, plus we'd have to recompile apache, openvpn, ...), or hack on udev to make it create a /dev/random which is actually /dev/urandom... couldn't convince udev to do that reliably though. rngd seems to do the trick as a userspace workaround. it's main purpose is supposed to be pulling entropy from hardware addons, but it seems to be pretty common to use it the way we do too.
On entropy and randomness Posted Dec 14, 2007 20:18 UTC (Fri) by nix (subscriber, #2304) [Link] KERNEL=="urandom", NAME="random" (or SYMLINK, if you prefer) should do the trick, I'd expect.
On entropy and randomness Posted Dec 14, 2007 21:34 UTC (Fri) by adamgundy (subscriber, #5418) [Link] pretty sure we tried something like that.. sometimes it would work, sometimes not (timing?) I forget exactly the issue with udev, we just couldn't convince it to do what we wanted and rngd worked out of the box.
On entropy and randomness Posted Dec 14, 2007 15:56 UTC (Fri) by TRS-80 (subscriber, #1804) [Link] Recent server chipsets include hardware entropy sources, which rng-tools will feed into /dev/random.
|
|||||||||||||