[patch 0/2] two ssh-client module fixes

[patch 0/2] two ssh-client module fixes

[dyoung-H+wXaHxf7aLQT0dZR+AlfA]

1/2: remove cttyhack checking
2/2: add random feeding code
---
 modules.d/95ssh-client/module-setup.sh   |   10 ++--------
 modules.d/95ssh-client/random-seeding.sh |    7 +++++++
 2 files changed, 9 insertions(+), 8 deletions(-)

[patch 1/2] ssh-client: remove ctty related check

[dyoung-H+wXaHxf7aLQT0dZR+AlfA]

[-- Attachment #1: ssh-remove-ctty-dependency.patch --]
[-- Type: text/plain, Size: 935 bytes --]

cttyhack was removed and ctty is supported by default, so no need to
check it in ssh-client module any more.

Signed-off-by: Dave Young <dyoung-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
 modules.d/95ssh-client/module-setup.sh |    8 --------
 1 file changed, 8 deletions(-)

--- dracut.orig/modules.d/95ssh-client/module-setup.sh
+++ dracut/modules.d/95ssh-client/module-setup.sh
@@ -15,9 +15,6 @@ check() {
             derror "ssh key: $sshkey is not found!"
             return 1
         }
-        [[ ! $cttyhack = yes ]] && {
-            dinfo "--ctty is not used, you should make sure the machine is a knownhost and copy the sshkey to remote machine!"
-        }
     fi
 
     return 255
@@ -50,11 +47,6 @@ inst_sshenv()
 }
 
 install() {
-    [[ ! $cttyhack = yes && ! $sshkey ]] && {
-        derror "ssh-client needs option --ctty or --sshkey!"
-        return 1
-    }
-
     dracut_install ssh scp
     inst_sshenv
 }

[patch 2/2] ssh-client: add urandom seeding

[dyoung-H+wXaHxf7aLQT0dZR+AlfA]

[-- Attachment #1: feeding-dev-urandom.patch --]
[-- Type: text/plain, Size: 1045 bytes --]

openssh usually depends on /dev/urandom to seeding PRNG (pseudo-random number
generator). To ensure there's sufficient entropy just feed /dev/urandom with
saved /var/lib/random-seed which is saved in installing phase.

Signed-off-by: Dave Young <dyoung-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
 modules.d/95ssh-client/module-setup.sh   |    2 ++
 modules.d/95ssh-client/random-seeding.sh |    7 +++++++
 2 files changed, 9 insertions(+)

--- dracut.orig/modules.d/95ssh-client/module-setup.sh
+++ dracut/modules.d/95ssh-client/module-setup.sh
@@ -48,6 +48,8 @@ inst_sshenv()
 
 install() {
     dracut_install ssh scp
+    dracut_install /var/lib/random-seed
+    inst_hook cmdline 01 "$moddir/random-seeding.sh"
     inst_sshenv
 }
 
--- /dev/null
+++ dracut/modules.d/95ssh-client/random-seeding.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+if [ -f /var/lib/random-seed ]; then
+    cat /var/lib/random-seed > /dev/urandom 2>/dev/null
+fi

Re: [patch 2/2] ssh-client: add urandom seeding

[Harald Hoyer]

Hmm, wouldn't that mean, that the generator is seeded with the _same_ seed on
every reboot?
How is this different from booting with no seed at all?

Re: [patch 2/2] ssh-client: add urandom seeding

[Dave Young]

On 10/11/2012 04:16 PM, Harald Hoyer wrote:

> Hmm, wouldn't that mean, that the generator is seeded with the _same_ seed on
> every reboot?
> How is this different from booting with no seed at all?


This is intend to resolve the no-sufficient-entropy issue during ssh
connection. But, yes it's same across reboot if the initrd is not
regenerated.

In old kdump code we originally copy bytes from /dev/mem, but that is
not good because /dev/mem is access denied, also it's not so random as well.

> --
> To unsubscribe from this list: send the line "unsubscribe initramfs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Thanks
Dave

Re: [patch 2/2] ssh-client: add urandom seeding

[Dave Young]

On 10/11/2012 04:25 PM, Dave Young wrote:

> On 10/11/2012 04:16 PM, Harald Hoyer wrote:
> 
>> Hmm, wouldn't that mean, that the generator is seeded with the _same_ seed on
>> every reboot?
>> How is this different from booting with no seed at all?
> 
> 
> This is intend to resolve the no-sufficient-entropy issue during ssh
> connection. But, yes it's same across reboot if the initrd is not
> regenerated.
> 
> In old kdump code we originally copy bytes from /dev/mem, but that is
> not good because /dev/mem is access denied,


BTW, the access denying problem is only limited to s390 arch


> also it's not so random as well.
> 
>> --
>> To unsubscribe from this list: send the line "unsubscribe initramfs" in
>> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> 



-- 
Thanks
Dave

Re: [patch 2/2] ssh-client: add urandom seeding

[Vivek Goyal]

On Thu, Oct 11, 2012 at 10:16:01AM +0200, Harald Hoyer wrote:
> Hmm, wouldn't that mean, that the generator is seeded with the _same_ seed on
> every reboot?
> How is this different from booting with no seed at all?

Atleast it can help with kdump where we might regenerate the initramfs
upon user config change and capture the new seed.

Also kdump does not happen often on the machine. So I guess for once in 
a while operation it is still better to use random-seed then not using
anything at all.

Thanks
Vivek

Re: [patch 2/2] ssh-client: add urandom seeding

[Dave Young]

On 10/12/2012 03:58 AM, Vivek Goyal wrote:

> On Thu, Oct 11, 2012 at 10:16:01AM +0200, Harald Hoyer wrote:
>> Hmm, wouldn't that mean, that the generator is seeded with the _same_ seed on
>> every reboot?
>> How is this different from booting with no seed at all?
> 
> Atleast it can help with kdump where we might regenerate the initramfs
> upon user config change and capture the new seed.
> 
> Also kdump does not happen often on the machine. So I guess for once in 
> a while operation it is still better to use random-seed then not using
> anything at all.


For normal boot case, I think something like
systemd-random-seed-load.service is fine because rootfs is always
mounted in initramfs. But I'm not sure how to handle the mount issue if
/var/lib if mounted to another partition.

Or simply add below to pre-pivot hook:

if [ -f /proc/vmcore ]; then
    cat /var/lib/random-seed > /dev/urandom
else
    if [ -f /sysroot/var/lib/random-seed ]; then
        cat /sysroot/var/lib/random-seed > /dev/urandom
    fi
fi

Harald, what do you think?

> 
> Thanks
> Vivek



-- 
Thanks
Dave

Re: [patch 2/2] ssh-client: add urandom seeding

[Vivek Goyal]

On Fri, Oct 12, 2012 at 12:44:37PM +0800, Dave Young wrote:
> On 10/12/2012 03:58 AM, Vivek Goyal wrote:
> 
> > On Thu, Oct 11, 2012 at 10:16:01AM +0200, Harald Hoyer wrote:
> >> Hmm, wouldn't that mean, that the generator is seeded with the _same_ seed on
> >> every reboot?
> >> How is this different from booting with no seed at all?
> > 
> > Atleast it can help with kdump where we might regenerate the initramfs
> > upon user config change and capture the new seed.
> > 
> > Also kdump does not happen often on the machine. So I guess for once in 
> > a while operation it is still better to use random-seed then not using
> > anything at all.
> 
> 
> For normal boot case, I think something like
> systemd-random-seed-load.service is fine because rootfs is always
> mounted in initramfs. But I'm not sure how to handle the mount issue if
> /var/lib if mounted to another partition.
> 
> Or simply add below to pre-pivot hook:
> 
> if [ -f /proc/vmcore ]; then
>     cat /var/lib/random-seed > /dev/urandom
> else
>     if [ -f /sysroot/var/lib/random-seed ]; then
>         cat /sysroot/var/lib/random-seed > /dev/urandom
>     fi
> fi
> 

Or how about doing it rhel6 way. Let kdump module pack in
/var/lib/random-seed in kdump initramfs and if this file is present,
feed it to /dev/urandom.

Thanks
Vivek

Re: [patch 2/2] ssh-client: add urandom seeding

[Dave Young]

On 10/12/2012 09:35 PM, Vivek Goyal wrote:

> On Fri, Oct 12, 2012 at 12:44:37PM +0800, Dave Young wrote:
>> On 10/12/2012 03:58 AM, Vivek Goyal wrote:
>>
>>> On Thu, Oct 11, 2012 at 10:16:01AM +0200, Harald Hoyer wrote:
>>>> Hmm, wouldn't that mean, that the generator is seeded with the _same_ seed on
>>>> every reboot?
>>>> How is this different from booting with no seed at all?
>>>
>>> Atleast it can help with kdump where we might regenerate the initramfs
>>> upon user config change and capture the new seed.
>>>
>>> Also kdump does not happen often on the machine. So I guess for once in 
>>> a while operation it is still better to use random-seed then not using
>>> anything at all.
>>
>>
>> For normal boot case, I think something like
>> systemd-random-seed-load.service is fine because rootfs is always
>> mounted in initramfs. But I'm not sure how to handle the mount issue if
>> /var/lib if mounted to another partition.
>>
>> Or simply add below to pre-pivot hook:
>>
>> if [ -f /proc/vmcore ]; then
>>     cat /var/lib/random-seed > /dev/urandom
>> else
>>     if [ -f /sysroot/var/lib/random-seed ]; then
>>         cat /sysroot/var/lib/random-seed > /dev/urandom
>>     fi
>> fi
>>
> 
> Or how about doing it rhel6 way. Let kdump module pack in
> /var/lib/random-seed in kdump initramfs and if this file is present,
> feed it to /dev/urandom.


Ok, will add this in kdump module instead.

Harald, please ignore patch 2/2 then.

> 
> Thanks
> Vivek



-- 
Thanks
Dave