LISTSERV - HP3000-L Archives

HP3000-L Archives

January 2014, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L January 2014, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: sshd going down.
From:	"James B. Byrne" <[log in to unmask]>
Reply To:	James B. Byrne
Date:	Fri, 24 Jan 2014 09:18:37 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (63 lines)

>> -----Original Message-----
>> From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On
>> Behalf Of [log in to unmask]
>> Sent: Thursday, January 23, 2014 3:06 PM
>> To: [log in to unmask]
>> Subject: Re: [HP3000-L] sshd going down.
>>
>> Olav,
>>
>> If I had to guess - the problem is most likely to be a shortage of
>> 'entropy'.
>>
>> IRRC MPE/iX and HP-UX are alike in that they don't have a 'kernel
>> entropy/random data source' - as Linux and some other Un*x's do.
>>
>> Under MPE/iX we have 'EGD' (the Entropy Gathering Daemon) to generate the
>> 'random' data that ssh/sshd/sftp/scp needs to work properly.  Making the
>> initial connection requires the most amount - and can easily 'drain' the
>> entropy source.  Lots of connections means lots of random data needed.
>> No random data=no encryption - so 'ssh' based things nearly always
>>'stop'.  I suspect that the HP-UX port uses EGD as well. (ssh's second
>> biggest use of random data is to pad out transmission blocks that aren't
>> full).
>>
>> Check your entropy source - and make sure it's producing sufficient quantity
>> of 'random' data.
>>

We had this problem on our CentOS boxes.  While Linux calls from urandom
rather than random to avoid the issue of blocking on want of entropy the
result is that ones crytpo links may be rather less secure than one imagines.
A lot less in fact if what I have read recently is any indication.  And our
servers were regularly running dry on entropy so to speak.

After casting around for a solution to handle our situation, a bunch of
headless and virtualised servers, I hit upon haveded (
http://www.issihosts.com/haveged/history.html ) which we now run as a startup
daemon on all of our Linux boxes.  The random data it produces passes the
diehard suit and the rngtest suit so it seems good for crypto purposes.

The program is open source and can be compiled for IA64 boxes with gcc.  I do
not know if a port to MPEiX PA-RISC is possible, but if it is then it is worth
the effort if your MPEiX box has to have crypto.

In our case we simply walled the HP3000 off from direct Internet access and
put it on a private lan (x-cable) to a cheap, multi-homed, supermicro, x86_64
Linux box that handles all the ssh connections on its other nic and provides
the firewall for the HP3000.  I suppose that the NSA has something to read the
electrical pulses along that 3 metre shielded cable from across the road but
there is a limit to even my paranoia.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:[log in to unmask]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU