On Sun, May 04, 2014 at 10:56:03PM +0200, ?ngel Gonz?lez wrote: > On 02/05/14 21:40, William Ahern wrote: > >Linux > >also has an obscure sysctl which pulls directly from the internal CSPRNG. > >So > >all of these will work in a jail without /dev or /proc. > > That's cool, but as stated on Linux sysctl(2): <snip> > > This system call is available only if the kernel was configured > >with the CONFIG_SYSCTL_SYSCALL option. > > And indeed, trying a test program calling CTL_KERN, KERN_RANDOM, > RANDOM_UUID (from your code) prints > >warning: process `sysctl-rand' used the deprecated sysctl system call > >with 1.40.6. > > and returned with ENOSYS (the kernel was compiled without > CONFIG_SYSCTL_SYSCALL). > > So I don't think it's a suitable primary mean to gather random data > under Linux. :-( It still works on the latest Ubuntu, but I see now that Red Hat (Fedora Rawhide) has disabled it. So much for ABI stability. glibc says lots of stupid stuff in their manual pages, but I didn't think Linux would actually break it this way, given how much of a stink Linus makes about preserving userspace compatibility. In any event, it's still the only proper solution. Otherwise there is no reliable means and Linux can just be considered second-class in this regard, like Solaris, OS X, and others. Of course it's smart to always check the return value and have a fallback in case some people thoughtlessly turned it off. My sample code I linked to does fallback to /dev/urandom, as well as [somewhat ashamedly] collects junk data in a last ditch effort, including collecting bits from ASLR, getrusage, and uname. > I encourage you to raise at lkml the need to have a dev-less random data > source, though. They tend to ignore unknown people on LKML. I once submitted a bug report about datagram connect(2) behavior where you couldn't change the destination address if it was on another network, despite the manual pages (and POSIX) saying that it would work. I doubt anybody even bothered reading it, and of course nobody replied. I'll give it a try, though. I'll also try contacting Red Hat, and inquire with the Debian and Ubuntu folks to see if they intended to change their configuration. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev