FS#43211 - [rng-tools] default rngd configuration insecure
Attached to Project:
Community Packages
Opened by Timothée Ravier (Siosm) - Tuesday, 23 December 2014, 22:26 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 24 December 2014, 00:10 GMT
Opened by Timothée Ravier (Siosm) - Tuesday, 23 December 2014, 22:26 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 24 December 2014, 00:10 GMT
|
Details
The default options defined in the /etc/conf.d/rngd file
(RNGD_OPTS="-o /dev/random -r /dev/urandom") are insecure
and NOT RECOMMENDED options for running the rngd daemon.
See https://lwn.net/Articles/525459/ for the full explanation: "You really, really want to run rngd", Peter said. It should be started as early as possible during system boot-up, so that the applications have early access to the randomness that it provides. One thing you should not do is the following: rngd -r /dev/urandom Peter noted that he had seen this command in several places on the web. Its effect is to connect the output of the kernel's RNG back into itself, fooling the kernel into believing it has an endless supply of entropy. Additional info: package version: rng-tools 5-1 Please remove those default options and let the daemon startup fail when no hardware generator is found. This is the default behavior on CentOS / Fedora. |
This task depends upon
Closed by Doug Newgard (Scimmia)
Wednesday, 24 December 2014, 00:10 GMT
Reason for closing: Duplicate
Additional comments about closing: FS#34580
Wednesday, 24 December 2014, 00:10 GMT
Reason for closing: Duplicate
Additional comments about closing: