On Fri, Aug 15, 2014 at 01:24:02AM -0700, Clint Pachl wrote:
| Is it safe to generate some randomness in /tftpboot/etc/random.seed for
| clients that PXE boot?
|
| My concern is that this file will be available to everyone on the network
| via TFTP. So does knowing this randomness help "predict" the PRNG output of
| the clients that use it?
What you could do is use the -r option to tftpd(8) to hand out a new
file to each client that connects. Or just periodically (like, every
hour or every minute, depending on the load of your tftp server)
replace it with a new random file.
| I read in a de Raadt interview earlier this year that there are other
| sources mixed in at the boot loader state. So I'm guessing it shouldn't
| hurt, but probably help. Some clarification on the subject from an expert
| would be greatly appreciated.
I have an /etc/random.seed in my tftp server. I don't do any of the
above, since I *very* seldomly do PXE boots, and when I do I need to
update kernel and bootloader anyway, so I've automated updating
random.seed by adding it into the script that picks bsd.rd+pxeboot for
a selected architecture.
Note that the transfer is in clear text. So even if you change it, it
could be intercepted during transfer depending on your network setup.
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
