Re: fix for no ssh
On 2019-07-08, Andrei POPESCU <andreimpopescu@gmail.com> wrote:
>
>> Wow. Another reason to love systemd :-(
>
> Not clear to me why you are blaming systemd here.
>
Because systemd is to blame (at least in the opinion of some people in the
know, like Stefan Frisch, for instance):
https://qa.debian.org/developer.php?login=sf@debian.org
https://lists.debian.org/debian-devel/2018/12/msg00184.html
...
The systemd maintainers argue that individual services should handle this
problem [1,2]. But this does not scale and the whole point of the getrandom()
syscall is that it cannot fail and that its users do not need fallback code
that is not well-tested and probably buggy. [5]
> In my understanding what sysv-init does (crediting entropy over reboots)
> is not secure for various reasons.
...
The problem is that systemd (and probably /etc/init.d/urandom, too) does not set
the flag that allows the kernel to credit the randomness and so the kernel does
not know about the entropy contained in that file. Systemd upstream argues that
this is supposed to protect against the same OS image being used many times
[3]. (More links to more discussion can be found at [4]).
But an identical OS image needs to be modified anyway in order to be secure
(re-create ssh host keys, change root password, re-create ssl-cert's private
keys, etc.). Injecting some entropy in some way is just another task that
needs to be done for that use case. So basically the current implementation
of systemd-random-seed.service breaks stuff for everyone while not fixing the
thing they are claiming to fix.
>> Another reason to perform fresh installs rather than upgrades whenever
>> possible.
>
> How is that supposed to help?
>
> Kind regards,
> Andrei
--
"These findings demonstrate that under appropriate conditions the isolated,
intact large mammalian brain possesses an underappreciated capacity for
restoration of microcirculation and molecular and cellular activity after a
prolonged post-mortem interval." From a recent article in *Nature*. Holy shit.
Reply to: