navigation
search
Differences
This shows you the differences between two versions of the page.
|
redhat:rngd:rgnd_init_script [2010/03/01 20:07] cwadge created |
redhat:rngd:rgnd_init_script [2010/03/03 01:07] (current) cwadge added footnote |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== RNGD Init Script Missing in Red Hat, CentOS ====== | + | ====== RNGD Init Script Missing in Red Hat, CentOS, Fedora ====== |
| - | + | ||
| - | Applications which use cryptography rely on your system's entropy pool for random seeds. Unfortunately, on a headless server with a lot of SSL traffic, this can be drained, leaving your system waiting on ///dev/random//. To help combat this potential issue, rngd((Random Number Generator Daemon)) can utilize a variety of hardware based random number generators to help fill the entropy pool. From the package description: | + | |
| + | Applications which use cryptography rely on your system's entropy pool for random seeds. Desktop systems can fill their entropy pool with direct human interaction -- sources like keyboard and mouse input, etc. But on a headless server with a lot of SSL traffic, it's quite possible to drain the entropy pool faster than it can replenish. To help combat this potential issue, rngd((Random Number Generator Daemon)) can utilize a variety of hardware based random number generators and feed them back into ///dev/random//. From the package description: | ||
| > //"The rngd daemon acts as a bridge between a Hardware TRNG (true random number generator) such as the ones in some Intel/AMD/VIA/Geode chipsets, and the kernel's PRNG (pseudo-random number generator)."// | > //"The rngd daemon acts as a bridge between a Hardware TRNG (true random number generator) such as the ones in some Intel/AMD/VIA/Geode chipsets, and the kernel's PRNG (pseudo-random number generator)."// | ||
| - | Thankfully Red Hat (and by association CentOS) ship with rngd included, as provided by the 'rng-utils' package. Unfortunately, they did not include the init script necessary to automatically start is as a server process. However, we can provide such a script ourselves and have rngd start normally at the usual runlevels. | + | Fortunately, Red Hat (and by association CentOS) ship with rngd included, as provided by the 'rng-utils' package. Unfortunately, they did not include the init script necessary to automatically start is as a server process((Known to affect Red Hat / CentOS 5.4 and Fedora 12)). However, we can provide such a script ourselves and have rngd start normally at the usual runlevels. |
| ===== Installing RNGD ===== | ===== Installing RNGD ===== | ||
| Line 16: | Line 15: | ||
| ===== Providing An Init Script ===== | ===== Providing An Init Script ===== | ||
| - | In order to be managed as a system daemon, rngd will need an init script. Thankfully, Paul Wouters and Ian Burrell submitted one to a Red Hat bug (which was subsequently closed without resolution). Here it is, with some additional minor syntax fixes by myself: | + | In order to be managed as a system daemon, rngd will need an init script. Paul Wouters submitted just such an init script to a Red Hat bug report back in 2006, to which Ian Burrell replied with an updated version. Here it is, with some additional minor syntax fixes by myself: |
| <code=bash>#!/bin/bash | <code=bash>#!/bin/bash | ||
| Line 39: | Line 38: | ||
| # Description: The rngd daemon acts as a bridge between a Hardware TRNG | # Description: The rngd daemon acts as a bridge between a Hardware TRNG | ||
| # (true random number generator) such as the ones in some | # (true random number generator) such as the ones in some | ||
| - | # Intel/AMD/VIA/Geode chipsets, and the kernel's PRNG (peusdo | + | # Intel/AMD/VIA/Geode chipsets, and the kernel's PRNG |
| # (pseudo-random number generator). | # (pseudo-random number generator). | ||
| ### END INIT INFO | ### END INIT INFO | ||
| Line 131: | Line 130: | ||
| ==== Setting up RNGD as a Service ==== | ==== Setting up RNGD as a Service ==== | ||
| - | ...Simply copy the contents of the above script to **///etc/init.d/rngd//** with your favorite text editor. Next, you'll need to make it executable: | + | {{ :redhat:rngd:fileserver-entropy-day.png|}}...Simply copy the contents of the above script to **///etc/init.d/rngd//** with your favorite text editor. Next, you'll need to make it executable: |
| <code>chmod 755 /etc/init.d/rngd</code> | <code>chmod 755 /etc/init.d/rngd</code> | ||
| Line 147: | Line 146: | ||
| ===== Testing the Quality of your Hardware Randomness ===== | ===== Testing the Quality of your Hardware Randomness ===== | ||
| - | After installing and running rngd, you should test your hardware RNG to make sure it's not broken; "broken" in this case meaning spitting out too much predictable data. For this task, employ the 'rngtest' tool: | + | After installing and running rngd, your entropy pool should fill up a lot faster than you'd previously expect. The quantity and quality will vary based upon the the capabilities of your hardware RNG, but you should already notice a difference in the size of your currently available entropy pool: |
| + | |||
| + | <code>cat /proc/sys/kernel/random/entropy_avail</code> | ||
| + | |||
| + | Before relying on this new entropy source, you should test your hardware RNG to make sure it's not broken. "Broken" in this case meaning spitting out too much predictable data. For this task, employ the 'rngtest' tool: | ||
| <code>cat /dev/hw_random | rngtest -c 1000</code> | <code>cat /dev/hw_random | rngtest -c 1000</code> | ||
| Line 169: | Line 172: | ||
| rngtest: Program run time: 77695015 microseconds</code> | rngtest: Program run time: 77695015 microseconds</code> | ||
| - | If you see more than a few failures, you may want to disable that particular piece of hardware (or replace it if possible). If your results look good however, congratulations, and may your entropy pool runneth over! | + | If you see more than a few failures, you may want to disable that particular piece of hardware (or replace it if possible). If your results look good however, congratulations -- your entropy pool runneth over! |
