Mailinglist Archive: opensuse-factory (505 mails)

< Previous Next >
Re: [opensuse-factory] haveged - now enabled by default?
On 07/26/2011 02:34 PM, Marcus Meissner wrote:
Hi,

The reasoning to not have it enabled was the mimimal set of services
running to reduce security attack surface and to enhance startup time.


We reviewed haveged for SLE 11, from a integrity security side it is ok.

We reviewed the randomness it generates briefly (!) and found no issues.

However ... the sheer amount of randomness it claims to generate
feels a bit too good to be true to me.

It insanity rating is similar to using /dev/urandom, refering to a previous
comment.

That said, we are fine with enabling it if people consider it necessary.

Ciao, Marcus


On Sun, Jul 24, 2011 at 03:34:23PM -0400, Jeff Mahoney wrote:
Haveged has actually become higher priority with 12.1. I was advocating
enabling it by default so I'm surprised to see that development has gone the
opposite way.

In releases prior to 12.1, drivers for popular network devices contributed
to the entropy pool. Those patches weren't getting much traction upstream so
we dropped them in the 12.1 kernel. The entropy pool will not be replenished
as quickly on 12.1 naturally so haveged being enabled by default would be a
good idea.

-Jeff

--
Jeff Mahoney
(apologies for the top post -- from my mobile)

On Jul 24, 2011, at 11:02 AM, Lars Müller <lmuelle@xxxxxxx> wrote:

On Sun, Jul 24, 2011 at 03:19:47PM +0100, Olipro wrote:

I see someone else made a post back in May about this and I was wondering
if
anything came of it since; This daemon is sadly disabled by default in
11.4
which results in /dev/random having very little available entropy at all
and
thus anything that uses /dev/random for key generation will tend to stall
for
inordinate amounts of time, especially on systems that are only running
from
the commandline, for example, I have occasionally seen DNSSEC tutorials
for
openSUSE which use /dev/urandom - something that I think is just insane,
but
most likely a result of nothing being available to fill the entropy pool.

See https://bugzilla.novell.com/show_bug.cgi?id=675841 which was
refereced by the haveged package change log.

- avoid unnecessary services. bnc#675841
also the start should be mediated by YaST or kiwi depending
on presence of a virtualization environment, not by the package
itself.

Would it enhance the result if the installer suggest to enable haveged
if we decide to operate in runlevel 3?

The amount of black magic in changing defaults in the background without
notifying the user must kept as minimal as possible.

Please drive this via bugzilla to make references in the package change
log to the bug IDs possible. In bugzilla you're able to place a pointer
to the archive of this mailing list thread
http://lists.opensuse.org/opensuse-factory/2011-07/msg00378.html

Lars
--
Lars Müller [ˈlaː(r)z ˈmʏlɐ]
Samba Team
SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx



Marcus, I'm using haveged, for example on a multi-purpose webserver dns,
hosting etc.
here the munin report about the entropy with haveged on
(until May it was a 11.2 openSUSE)

Last month
http://dl.dropbox.com/u/13333867/openSUSE/haveged-entropy-month.png

Last year
http://dl.dropbox.com/u/13333867/openSUSE/havged-entropy-year.png

I can push several other hosts, with same kind of data.
Just ask.


--

Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch

openSUSE Member & Ambassador
GPG KEY : D5C9B751C4653227
irc: tigerfoot
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups