5

I am thinking my entropy level may be low? 

$ cat /proc/sys/kernel/random/entropy_avail

I am around 132-178 on average. Pool size is default 4096 (this is a container on a virtualizer by the way).

I also have ran:

$ cat /dev/urandom | rngtest -c 1000

and got:

rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 999
rngtest: FIPS 140-2 failures: 1
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 1
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=26.272; avg=628.845; max=19073.486)Mibits/s
rngtest: FIPS tests speed: (min=73.928; avg=108.740; max=130.640)Mibits/s
rngtest: Program run time: 206182 microseconds

Also ran it on random and it took about forever to run, I cancelled it at about 5 minutes:

^Crngtest: bits received from input: 25432
rngtest: FIPS 140-2 successes: 1
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=100.736; avg=100.736; max=100.736)bits/s
rngtest: FIPS tests speed: (min=127.157; avg=127.157; max=127.157)Mibits/s
rngtest: Program run time: 255516440 microseconds

You hardcore OS guys - does this mean anything to you, and could this possibly be the problem of my slower SASL auth's as described in the bug: https://issues.kolab.org/show_bug.cgi?id=5219

NOTE: This is CentOS 6 by the way.

I have tried installed haveged as others have written articles about it, but I tried and the process instantly dies and tells me the subsystem is locked.

I'm not sure where to go from here.. I don't really have the ability to plug in a USB key as others have described either. And like I said, havaged starts, but quickly died.

The reason I need this entropy higher is simply because I am running a mail server that communicates over TLS a TON based on how our webmail is built. (SASL, Cyrus setup).

EDIT 1:

I installed haveged:

$ yum install haveged

But when I go to start the process it instantly dies:

Process is dead but sub system is locked

Of course I did my research and found no answers why this is happening. I do see that the lock file is there. I've tried deleting it and restarting the service and that did nothing. I also do not see a PID file in var/run.

I installed this from the standard repos with CentOS which I assume work since yum installed it fine.

EDIT 2:

How would I go about having SASL/Cyrus use urandom instead of random if I can't generate higher entropy of my random pools on a container?

slm
  • 7,355
  • 16
  • 54
  • 72
Gordon Snappleweed
  • 75
  • 1
  • 9
  • 2
    You can't run haveged in a container; it must run on the (physical or virtual) host. – Michael Hampton Sep 12 '15 at 03:02
  • Michael, no way! So if I run it on the host, will it propagate to the containers? – Gordon Snappleweed Sep 12 '15 at 03:02
  • 1
    There is only one entropy pool since there is only one kernel. All containers will use it. – Michael Hampton Sep 12 '15 at 03:09
  • Michael - that now makes sense... So how would you suggest improving entropy on my containers? Running rng on random took absolutely forever and I'm stuck on what to do. Thank you again for clearing this up!! – Gordon Snappleweed Sep 12 '15 at 03:14
  • 3
    Stop using `/dev/random`. You should be using `/dev/urandom` for almost everything. – Michael Hampton Sep 12 '15 at 03:22
  • I am running mail servers that are relying random for strong TLS auths. I have read everywhere urandom is not recommended. I've talked to the Cyrus guys and they're telling me to steer away from urandom as well. The host machines are extremely beefy so I don't think there would be a problem if only I could generate more random – Gordon Snappleweed Sep 12 '15 at 03:23
  • 1
    [You have heard wrong. You should not be touching /dev/random. Always use /dev/urandom. If the Cyrus guys are telling you to not use /dev/urandom, then they are wrong too.](http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/) – Michael Hampton Sep 12 '15 at 03:24
  • Lol - can you explain why though? No joke, 20 people told me to use random for my TLS stuff. Urandom is lower grade encryption and I'd rather not degrade it if I don't have to. So let's say you are right - can I steer SASL/Cyrus to use urandom pools? – Gordon Snappleweed Sep 12 '15 at 03:26
  • 1
    Click the link. 20 people are still wrong. /dev/urandom is not less secure than /dev/random. – Michael Hampton Sep 12 '15 at 03:28
  • Okay.. I updated my question then. Is it possible to force (everything) to use urandom then? Specifically anything dealing with TLS and SASLas these are some major slowdowns for me. – Gordon Snappleweed Sep 12 '15 at 03:32
  • 1
    http://security.stackexchange.com/a/14387/11291 Looks like for Cyrus you have to recompile it. – Michael Hampton Sep 12 '15 at 03:34
  • 3
    See also [Myths about /dev/urandom](http://www.2uo.de/myths-about-urandom/) – Michael Hampton Sep 12 '15 at 03:49
  • What's funny is I checked available entropy on the host machine and I'm getting the exact same thing. You wouldn't suggest just for me to install haveged on the host and let it trickle to the containers? – Gordon Snappleweed Sep 12 '15 at 03:52
  • 1
    Until Cyrus gets their act together and fixes their problem, I suggest you just [do this](http://security.stackexchange.com/a/14399/11291). – Michael Hampton Sep 12 '15 at 04:04

0 Answers0