search

davido / gerrit-oauth-provider

OAuth2 authentication provider for Gerrit Code Review. Please upload changes for review to: https://gerrit-review.googlesource.com/#/admin/projects/plugins/oauth
Apache License 2.0
140 stars 84 forks source link

OAuth provider should allow use of /dev/urandom #94

Open mwebber opened 7 years ago

mwebber commented 7 years ago

This issue is a follow-up to issue #40, and specifically motivated by this comment.

Background: see the article https://www.2uo.de/myths-about-urandom/

Rather than using the blocking /dev/random, Gerrit OAuth should use of non-blocking /dev/urandom, which avoids the risk of Gerrit hanging when a user signs in. This could be controlled by a system setting oauth.useUrandom (defaulting to false).

The only reason to use the old /dev/random is if your Gerrit installation is on a virtual machine and you do not properly seed the random generator (as explained at the end of the article referred to above).

davido commented 7 years ago

Thanks for the suggestion. You mean that we should introduce new configuration option in this plugin oauth.useUrandom?

mwebber commented 7 years ago

You mean that we should introduce new configuration option in this plugin oauth.useUrandom?

That was my first idea. But maybe other parts of Gerrit also use /dev/random, in which case it should be in a different config section (not oauth), maybe core.useUrandom or os.useUrandom.

(I haven't looked across the Gerrit code base to see where /dev/random is used)

kunickiaj commented 6 years ago

A workaround also could be to run haveged when running on VMs that are often low on entropy.