Closed piecam closed 9 years ago
I have no idea.
Here it seems what RNG being used in the box by which program. It looks that all MIAB related program are using /dev/urandom. In the future, /dev/random might be a consideration if we can guarantee more stable entroph pool.
Just somethougths to share. Hope that helps overall security. thanks root@mx:/boot# lsof /dev/urandom COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mailinabo 7140 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7140 root 21r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7153 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7153 root 5r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7154 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7155 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7156 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7156 root 5r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7157 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7157 root 5r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7158 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7158 root 5r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7159 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7160 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7161 root 3r CHR 1,9 0t0 1055 /dev/urandom mailinabo 7162 root 3r CHR 1,9 0t0 1055 /dev/urandom tlsmgr 11893 postfix 8r CHR 1,9 0t0 1055 /dev/urandom auth 15041 dovecot 4r CHR 1,9 0t0 1055 /dev/urandom root@mx:/boot# root@mx:/boot# root@mx:/boot# lsof /dev/random COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME haveged 1400 root 4u CHR 1,8 0t0 1054 /dev/random named 3084 bind 9r CHR 1,8 0t0 1054 /dev/random
We are supposed to be using /dev/random
everywhere, so the uses of /dev/urandom
are bugs/limitations.
Hi Josh,
I don't want to confuse you; there are a lot of documents about this "entropy, /dev/random, /dev/urandom, /dev/arandom (openBSD)". I am myself is bit confused and still learning.
It seems that a high quality and fast speed entropy is ideal for all we do. Only openBSD's /dev/arandom can do it, at software level.
On linux, /dev/random is high quality but with slow speed; while /dev/urandom is low quality but with fast speed. That's one the /random is mostly used when generating keys . /urandom is used by TLS/SSL session keys, to avoid system hanging due to low entropy situation in /random while it's depleted and not yet being replenished .
hope we can all understand it better. thanks
https://en.wikipedia.org/wiki//dev/random https://www.calomel.org/entropy_random_number_generators.html
So.... Is there anything to be changed in MiaB? It sounds like we're in OK shape since /dev/random is what it is.
HI Josh,
I am not sure it's you with your package or myself, the box has "haveged" installed and it seems the Entropy level is good.
thanks Peng
eng@MX:~$ sudo apt-get install haveged [sudo] password for peng: Reading package lists... Done Building dependency tree Reading state information... Done haveged is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
python -c "$(echo -e "import time\nwhile True:\n time.sleep(1)\n print open('/proc/sys/kernel/random/entropy_avail', 'rb').read(),")" 1604 1608 1608 1609 1609 1609
On 2015-10-10 12:43, Joshua Tauberer wrote:
So.... Is there anything to be changed in MiaB? It sounds like we're in OK shape since /dev/random is what it is.
Reply to this email directly or view it on GitHub: https://github.com/mail-in-a-box/mailinabox/issues/466#issuecomment-147105802
MIAB installs haveged at https://github.com/mail-in-a-box/mailinabox/blob/v0.13b/setup/system.sh#L57 and has for as long as I remember.
gitk helped me to determine that it was added in 69f0e1d07a50f030b2120c0318cb6887dffbd0cd and that was merged in 621fcc2233e7380887de03fc2a5c8e1860e7e84b.
Okey doke. Interesting conversation but nothing actionable, so closing. :)
HI Josh,
I just checked out my box with MIAB installed, and it has haveged running. The entropy is constantly pretty high about 3000 above. Here's a snapshot. $ cat /proc/sys/kernel/random/entropy_avail 3162 $ service --status-all [ + ] acpid [ - ] apparmor [ ? ] apport [ + ] atd [ + ] bind9 [ ? ] console-setup [ + ] cron [ ? ] cryptdisks [ ? ] cryptdisks-early [ - ] dbus [ ? ] dns-clean [ ? ] ejabberd [ - ] fail2ban [ + ] friendly-recovery [ - ] grub-common [ + ] haveged [ ? ] irqbalance [ ? ] killprocs [ ? ] kmod [ ? ] mailinabox [ + ] memcached [ ? ] networking [ + ] nginx [ - ] nsd [ + ] ntp [ ? ] ondemand [ + ] opendkim [ + ] opendmarc [ - ] php5-fpm [ - ] postfix [ - ] postgrey [ ? ] pppd-dns [ - ] procps [ ? ] prosody [ ? ] rc.local [ + ] resolvconf [ ? ] rng-tools [ - ] rsync [ + ] rsyslog [ ? ] screen-cleanup [ ? ] sendsigs [ - ] spamassassin [ - ] spampd [ - ] ssh [ - ] sudo [ - ] udev [ ? ] umountfs [ ? ] umountnfs.sh [ ? ] umountroot [ - ] unattended-upgrades [ - ] urandom
While, the other idential box, both are physical box, I also have haveged running. The entropy is always about 1200-1300. cat /proc/sys/kernel/random/entropy_avail 1200 root@UP:~# service --status-all [ + ] acpid [ + ] atd [ - ] bootlogs [ - ] bootmisc.sh [ - ] checkfs.sh [ - ] checkroot-bootclean.sh [ - ] checkroot.sh [ + ] console-setup [ + ] cron [ - ] cryptdisks [ - ] cryptdisks-early [ + ] dbus [ + ] exim4 [ + ] haveged [ - ] hostname.sh [ - ] hwclock.sh [ + ] kbd [ + ] keyboard-setup [ - ] killprocs [ + ] kmod [ - ] lvm2 [ - ] motd [ - ] mountall-bootclean.sh [ - ] mountall.sh [ - ] mountdevsubfs.sh [ - ] mountkernfs.sh [ - ] mountnfs-bootclean.sh [ - ] mountnfs.sh [ + ] mysql [ + ] networking [ + ] nfs-common [ + ] nginx [ + ] php5-fpm [ + ] procps [ + ] rc.local [ - ] rmnologin [ + ] rpcbind [ + ] rsyslog [ - ] sendsigs [ + ] ssh [ + ] udev [ + ] udev-finish [ - ] umountfs [ - ] umountnfs.sh [ - ] umountroot [ + ] urandom [ + ] varnish [ - ] varnishlog [ - ] varnishncsa
I was just wondering whether you have done something special or used some program to have the entropy level constantly at high level, which is a good thing.
Oh, just realized that the one with low entropy is Debian 8 and the one with yours and high entropy is Ubuntu 14.04. Any difference does it make?
THanks