* [Buildroot] SSH server starts too late
@ 2020-02-21 9:13 Hammami Omar
2020-02-21 10:19 ` Peter Seiderer
0 siblings, 1 reply; 13+ messages in thread
From: Hammami Omar @ 2020-02-21 9:13 UTC (permalink / raw)
To: buildroot
Hello,
I am using the buildroot version "2019.11.1" and I have noticed that my SSH
server starts too late.
I was using an old version "2017.08" and the SSH server was starting
normally.
Are you aware of this issue please ?
And do you propose a workaround for this ?
And thank you very much.
Best regards,
omar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200221/778063a9/attachment.html>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
2020-02-21 9:13 [Buildroot] SSH server starts too late Hammami Omar
@ 2020-02-21 10:19 ` Peter Seiderer
2020-02-21 14:50 ` Hammami Omar
0 siblings, 1 reply; 13+ messages in thread
From: Peter Seiderer @ 2020-02-21 10:19 UTC (permalink / raw)
To: buildroot
Hello Hammami,
On Fri, 21 Feb 2020 10:13:17 +0100, Hammami Omar <omar18hammami@gmail.com> wrote:
> Hello,
>
> I am using the buildroot version "2019.11.1" and I have noticed that my SSH
> server starts too late.
> I was using an old version "2017.08" and the SSH server was starting
> normally.
> Are you aware of this issue please ?
> And do you propose a workaround for this ?
What exactly do you mean by 'to late'? Which init system do you use?
On first boot the ssh keys must be generated (which can use some time
depending on the hardware and the random source)...., random generation
can be speed up by e.g. using/enabling haveged...
Regards,
Peter
> And thank you very much.
>
> Best regards,
> omar
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
2020-02-21 10:19 ` Peter Seiderer
@ 2020-02-21 14:50 ` Hammami Omar
2020-02-21 16:16 ` Hammami Omar
2020-02-21 18:08 ` Grant Edwards
0 siblings, 2 replies; 13+ messages in thread
From: Hammami Omar @ 2020-02-21 14:50 UTC (permalink / raw)
To: buildroot
Hello Peter,
Thank you very much for your response.
By too late, I mean that my ssh server starts ~20 seconds later comparing
to the normal (Old buildroot version in my case).
Also, I am using the busybox init system. And I am thinking to use the
systemd init system, so that I can see the dependencies of the ssh process
and their execution time.
Now I have one question about haveged:
Is haveged used only with systemd init system ? Or it can be used also with
busybox init system ?
Is it possible to enable havged from menuconfig of buildroot ?
Best regards,
omar
Le ven. 21 f?vr. 2020 ? 11:19, Peter Seiderer <ps.report@gmx.net> a ?crit :
> Hello Hammami,
>
> On Fri, 21 Feb 2020 10:13:17 +0100, Hammami Omar <omar18hammami@gmail.com>
> wrote:
>
> > Hello,
> >
> > I am using the buildroot version "2019.11.1" and I have noticed that my
> SSH
> > server starts too late.
> > I was using an old version "2017.08" and the SSH server was starting
> > normally.
> > Are you aware of this issue please ?
> > And do you propose a workaround for this ?
>
> What exactly do you mean by 'to late'? Which init system do you use?
>
> On first boot the ssh keys must be generated (which can use some time
> depending on the hardware and the random source)...., random generation
> can be speed up by e.g. using/enabling haveged...
>
> Regards,
> Peter
>
> > And thank you very much.
> >
> > Best regards,
> > omar
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200221/10edb879/attachment.html>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
2020-02-21 14:50 ` Hammami Omar
@ 2020-02-21 16:16 ` Hammami Omar
2020-02-21 18:08 ` Grant Edwards
1 sibling, 0 replies; 13+ messages in thread
From: Hammami Omar @ 2020-02-21 16:16 UTC (permalink / raw)
To: buildroot
Hello,
I have added the package haveged to my Linux image. However, the problem is
not resolved. In fact, the ssh server have started too late.
Regards,
omar
Le ven. 21 f?vr. 2020 ? 15:50, Hammami Omar <omar18hammami@gmail.com> a
?crit :
> Hello Peter,
>
> Thank you very much for your response.
>
> By too late, I mean that my ssh server starts ~20 seconds later comparing
> to the normal (Old buildroot version in my case).
> Also, I am using the busybox init system. And I am thinking to use the
> systemd init system, so that I can see the dependencies of the ssh process
> and their execution time.
>
> Now I have one question about haveged:
> Is haveged used only with systemd init system ? Or it can be used also
> with busybox init system ?
> Is it possible to enable havged from menuconfig of buildroot ?
>
> Best regards,
> omar
>
> Le ven. 21 f?vr. 2020 ? 11:19, Peter Seiderer <ps.report@gmx.net> a
> ?crit :
>
>> Hello Hammami,
>>
>> On Fri, 21 Feb 2020 10:13:17 +0100, Hammami Omar <omar18hammami@gmail.com>
>> wrote:
>>
>> > Hello,
>> >
>> > I am using the buildroot version "2019.11.1" and I have noticed that my
>> SSH
>> > server starts too late.
>> > I was using an old version "2017.08" and the SSH server was starting
>> > normally.
>> > Are you aware of this issue please ?
>> > And do you propose a workaround for this ?
>>
>> What exactly do you mean by 'to late'? Which init system do you use?
>>
>> On first boot the ssh keys must be generated (which can use some time
>> depending on the hardware and the random source)...., random generation
>> can be speed up by e.g. using/enabling haveged...
>>
>> Regards,
>> Peter
>>
>> > And thank you very much.
>> >
>> > Best regards,
>> > omar
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200221/deabe4cc/attachment.html>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
2020-02-21 14:50 ` Hammami Omar
2020-02-21 16:16 ` Hammami Omar
@ 2020-02-21 18:08 ` Grant Edwards
2020-02-21 18:30 ` Hammami Omar
1 sibling, 1 reply; 13+ messages in thread
From: Grant Edwards @ 2020-02-21 18:08 UTC (permalink / raw)
To: buildroot
On 2020-02-21, Hammami Omar <omar18hammami@gmail.com> wrote:
> By too late, I mean that my ssh server starts ~20 seconds later comparing
> to the normal (Old buildroot version in my case).
Does it generate a new host key each time it starts?
--
Grant Edwards grant.b.edwards Yow! Is a tattoo real, like
at a curb or a battleship?
gmail.com Or are we suffering in
Safeway?
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
2020-02-21 18:08 ` Grant Edwards
@ 2020-02-21 18:30 ` Hammami Omar
2020-03-03 12:33 ` Hammami Omar
0 siblings, 1 reply; 13+ messages in thread
From: Hammami Omar @ 2020-02-21 18:30 UTC (permalink / raw)
To: buildroot
hello Grant,
No, I have always the same "/var/ssh_host_rsa_key"
The haveged script was started, I have very high value of entropy (2332)
and the sshd process started too late.
Le ven. 21 f?vr. 2020 ? 19:10, Grant Edwards <grant.b.edwards@gmail.com> a
?crit :
> On 2020-02-21, Hammami Omar <omar18hammami@gmail.com> wrote:
>
> > By too late, I mean that my ssh server starts ~20 seconds later comparing
> > to the normal (Old buildroot version in my case).
>
> Does it generate a new host key each time it starts?
>
> --
> Grant Edwards grant.b.edwards Yow! Is a tattoo real,
> like
> at a curb or a battleship?
> gmail.com Or are we suffering in
> Safeway?
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200221/b550efcd/attachment.html>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
2020-02-21 18:30 ` Hammami Omar
@ 2020-03-03 12:33 ` Hammami Omar
0 siblings, 0 replies; 13+ messages in thread
From: Hammami Omar @ 2020-03-03 12:33 UTC (permalink / raw)
To: buildroot
Hello,
My problem is not resolved yet.
In fact, I have known that the libopenssl *1.1.1d* use getrandom function
in blocking mode.
So to disable this I have applied the modification below in
*crypto/rand/rand_unix.c* . But my problem is not resolved. In fact, my ssh
server starts too late (after ~2 minutes).
patch :
*# if defined(__linux) && defined(__NR_getrandom) *
* - return syscall(__NR_getrandom, buf, buflen, 0); *
* + return syscall(__NR_getrandom, buf, buflen, * *GRND_NONBLOCK* *);*
Did I miss something ?
In fact, I applied this modification because I saw that my ssh server
started only if the* nonblocking pool was initialized*.
Is it possible that "*OPENSSL_RAND_SEED_GETRANDOM"* is not defined ?
*Note :*
I am using the openssh version* 8.1p1*
Kind regards,
Omar
Le ven. 21 f?vr. 2020 ? 19:30, Hammami Omar <omar18hammami@gmail.com> a
?crit :
> hello Grant,
>
> No, I have always the same "/var/ssh_host_rsa_key"
> The haveged script was started, I have very high value of entropy (2332)
> and the sshd process started too late.
>
>
> Le ven. 21 f?vr. 2020 ? 19:10, Grant Edwards <grant.b.edwards@gmail.com>
> a ?crit :
>
>> On 2020-02-21, Hammami Omar <omar18hammami@gmail.com> wrote:
>>
>> > By too late, I mean that my ssh server starts ~20 seconds later
>> comparing
>> > to the normal (Old buildroot version in my case).
>>
>> Does it generate a new host key each time it starts?
>>
>> --
>> Grant Edwards grant.b.edwards Yow! Is a tattoo real,
>> like
>> at a curb or a battleship?
>> gmail.com Or are we suffering in
>> Safeway?
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200303/67072457/attachment.html>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
2020-02-24 14:07 ` Hammami Omar
@ 2020-02-24 15:16 ` Hammami Omar
0 siblings, 0 replies; 13+ messages in thread
From: Hammami Omar @ 2020-02-24 15:16 UTC (permalink / raw)
To: buildroot
Hello,
Does anyone know the modification or the patch that was applied to resolve
the problem in the kernel version 5.4.y ?
Regards,
Omar
Le lun. 24 f?vr. 2020 ? 15:07, Hammami Omar <omar18hammami@gmail.com> a
?crit :
> Hi,
> In fact, my problem is not seen in my PC. Rather, it is seen in my
> embedded board which has a Linux OS.
> That is why I cannot use a keyboard.
>
>
> Le lun. 24 f?vr. 2020 ? 14:22, Andreas Ziegler <br015@umbiko.net> a
> ?crit :
>
>> On 2020-02-24 13:33, Hammami Omar wrote:
>>
>> Hi Omar,
>>
>> > The problem is that, in kernel logs, I cannot see that my ssh server
>> > was blocked.
>> > That is why, I am thinking if my problem is really du to entropy or
>> > no.
>>
>> You should experience a time lag in kernel log time stamps when that
>> happens. If this lag is caused by an entropy issue, starting to type
>> randomly on the keyboard should resolve it quite fast. This will speed
>> up the time until you see the final random output:
>>
>> > [ 77.847665] random: nonblocking pool is initialized
>>
>> The SSH server will definitely not be operative until this pool is
>> initialized.
>>
>> Kind regards,
>> Andreas
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200224/3782cf87/attachment.html>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
2020-02-24 13:22 ` Andreas Ziegler
@ 2020-02-24 14:07 ` Hammami Omar
2020-02-24 15:16 ` Hammami Omar
0 siblings, 1 reply; 13+ messages in thread
From: Hammami Omar @ 2020-02-24 14:07 UTC (permalink / raw)
To: buildroot
Hi,
In fact, my problem is not seen in my PC. Rather, it is seen in my embedded
board which has a Linux OS.
That is why I cannot use a keyboard.
Le lun. 24 f?vr. 2020 ? 14:22, Andreas Ziegler <br015@umbiko.net> a ?crit :
> On 2020-02-24 13:33, Hammami Omar wrote:
>
> Hi Omar,
>
> > The problem is that, in kernel logs, I cannot see that my ssh server
> > was blocked.
> > That is why, I am thinking if my problem is really du to entropy or
> > no.
>
> You should experience a time lag in kernel log time stamps when that
> happens. If this lag is caused by an entropy issue, starting to type
> randomly on the keyboard should resolve it quite fast. This will speed
> up the time until you see the final random output:
>
> > [ 77.847665] random: nonblocking pool is initialized
>
> The SSH server will definitely not be operative until this pool is
> initialized.
>
> Kind regards,
> Andreas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200224/32f5e76c/attachment.html>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
[not found] ` <CAGSpp9ng2yxCK=RZeq1Z_Bce4pwij9FQED23SpGuvjqm5awHhg@mail.gmail.com>
@ 2020-02-24 13:22 ` Andreas Ziegler
2020-02-24 14:07 ` Hammami Omar
0 siblings, 1 reply; 13+ messages in thread
From: Andreas Ziegler @ 2020-02-24 13:22 UTC (permalink / raw)
To: buildroot
On 2020-02-24 13:33, Hammami Omar wrote:
Hi Omar,
> The problem is that, in kernel logs, I cannot see that my ssh server
> was blocked.
> That is why, I am thinking if my problem is really du to entropy or
> no.
You should experience a time lag in kernel log time stamps when that
happens. If this lag is caused by an entropy issue, starting to type
randomly on the keyboard should resolve it quite fast. This will speed
up the time until you see the final random output:
> [ 77.847665] random: nonblocking pool is initialized
The SSH server will definitely not be operative until this pool is
initialized.
Kind regards,
Andreas
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
[not found] ` <1d91f38acaeecb790f5a44d104ae0ca1@umbiko.net>
@ 2020-02-24 13:07 ` Andreas Ziegler
[not found] ` <CAGSpp9ng2yxCK=RZeq1Z_Bce4pwij9FQED23SpGuvjqm5awHhg@mail.gmail.com>
1 sibling, 0 replies; 13+ messages in thread
From: Andreas Ziegler @ 2020-02-24 13:07 UTC (permalink / raw)
To: buildroot
> Message: 31
> Date: Mon, 24 Feb 2020 10:29:42 +0100
> From: Hammami Omar <omar18hammami@gmail.com>
> To: Andreas Ziegler <br015@umbiko.net>
> Cc: buildroot at busybox.net, Peter Seiderer <ps.report@gmx.net>
> Subject: Re: [Buildroot] SSH server starts too late
> Hello Andreas,
>
> Thank you for your response.
> In fact, I have tried to add extra randomnes by enabling "haveged". The
> entropy has increased but the problem is the same.
> Is it possible that the entropy value is always less than the wanted
> one ?
>
> Kind regards,
> Omar
Hi Omar,
The kernel entropy pool needs to be "seeded"; after that it works as
intended. Until the seeding is finished, calls to getentropy() or reads
from /dev/random block; reads from /dev/urandom work, but print warnings
in the kernel log. Thus it seems that there is always less entropy than
needed, because successful reads do not produce warning messages:
# dmesg | grep random
[ 0.070842] 000: random: get_random_u32 called from 0x8b299601 with
crng_init=0
[ 9.553915] 000: random: fast init done
[ 11.522913] 000: random: dd: uninitialized urandom read (512 bytes
read)
[ 14.271888] 000: random: wpa_supplicant: uninitialized urandom read
(32 bytes read)
[ 14.307673] 000: random: mktemp: uninitialized urandom read (6 bytes
read)
[ 23.668125] 000: random: mktemp: uninitialized urandom read (6 bytes
read)
[ 23.863680] 000: random: mktemp: uninitialized urandom read (6 bytes
read)
[ 24.003307] 000: random: sshd: uninitialized urandom read (32 bytes
read)
[ 221.067499] 000: random: sshd: uninitialized urandom read (32 bytes
read)
[ 221.092863] 000: random: sshd: uninitialized urandom read (32 bytes
read)
[ 221.405090] 000: random: sshd: uninitialized urandom read (32 bytes
read)
[ 327.117294] 000: random: crng init done
[ 327.117305] 000: random: 1 urandom warning(s) missed due to
ratelimiting
Changes in libopenssh, starting with version 1.1.1c, try to enforce a
blocking behaviour (regardless of the device used) until the kernel pool
is ready.
Increasing entropy can be achieved by typing on the keyboard, generating
I/O from physical disks, or by using hardware devices (RNG). Another
source of randomness is the patch that was introduced by Linus Torvalds
in kernel 5.4.y:
https://lkml.org/lkml/2019/9/18/1078
Kind regards,
Andreas
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
2020-02-21 12:51 ` Andreas Ziegler
@ 2020-02-24 9:29 ` Hammami Omar
[not found] ` <1d91f38acaeecb790f5a44d104ae0ca1@umbiko.net>
0 siblings, 1 reply; 13+ messages in thread
From: Hammami Omar @ 2020-02-24 9:29 UTC (permalink / raw)
To: buildroot
Hello Andreas,
Thank you for your response.
In fact, I have tried to add extra randomnes by enabling "haveged". The
entropy has increased but the problem is the same.
Is it possible that the entropy value is always less than the wanted one ?
Kind regards,
Omar
Le ven. 21 f?vr. 2020 ? 13:51, Andreas Ziegler <br015@umbiko.net> a ?crit :
> Hi Omar,
>
> On 2020-02-21 13:00, Hammami Omar <omar18hammami@gmail.com> wrote
> > I am using the buildroot version "2019.11.1" and I have noticed that my
> > SSH
> > server starts too late.
> > I was using an old version "2017.08" and the SSH server was starting
> > normally.
>
> This issue is not related to Buildroot, but caused by changes in
> libopenssl (which in turn is used by OpenSSH), starting around the
> middle of last year. You will find a lot of background information when
> you search the www for 'boot-time entropy starvation'; the cause is,
> reading random data from /dev/urandom blocks until the kernel entropy
> pool has been initialized.
>
> Workarounds:
>
> (a) Patch libopenssl (not recommended for nodes directly connected to
> the WAN).
> (b) Use a more recent kernel; version 5.4.y introduced a temporary fix
> for this issue.
> (c) Use other sources of extra randomness, as proposed by Peter
> Seiderer.
>
> Kind regards,
> Andreas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200224/28027cac/attachment.html>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Buildroot] SSH server starts too late
[not found] <mailman.11.1582286403.41897.buildroot@busybox.net>
@ 2020-02-21 12:51 ` Andreas Ziegler
2020-02-24 9:29 ` Hammami Omar
0 siblings, 1 reply; 13+ messages in thread
From: Andreas Ziegler @ 2020-02-21 12:51 UTC (permalink / raw)
To: buildroot
Hi Omar,
On 2020-02-21 13:00, Hammami Omar <omar18hammami@gmail.com> wrote
> I am using the buildroot version "2019.11.1" and I have noticed that my
> SSH
> server starts too late.
> I was using an old version "2017.08" and the SSH server was starting
> normally.
This issue is not related to Buildroot, but caused by changes in
libopenssl (which in turn is used by OpenSSH), starting around the
middle of last year. You will find a lot of background information when
you search the www for 'boot-time entropy starvation'; the cause is,
reading random data from /dev/urandom blocks until the kernel entropy
pool has been initialized.
Workarounds:
(a) Patch libopenssl (not recommended for nodes directly connected to
the WAN).
(b) Use a more recent kernel; version 5.4.y introduced a temporary fix
for this issue.
(c) Use other sources of extra randomness, as proposed by Peter
Seiderer.
Kind regards,
Andreas
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2020-03-03 12:33 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-21 9:13 [Buildroot] SSH server starts too late Hammami Omar
2020-02-21 10:19 ` Peter Seiderer
2020-02-21 14:50 ` Hammami Omar
2020-02-21 16:16 ` Hammami Omar
2020-02-21 18:08 ` Grant Edwards
2020-02-21 18:30 ` Hammami Omar
2020-03-03 12:33 ` Hammami Omar
[not found] <mailman.11.1582286403.41897.buildroot@busybox.net>
2020-02-21 12:51 ` Andreas Ziegler
2020-02-24 9:29 ` Hammami Omar
[not found] ` <1d91f38acaeecb790f5a44d104ae0ca1@umbiko.net>
2020-02-24 13:07 ` Andreas Ziegler
[not found] ` <CAGSpp9ng2yxCK=RZeq1Z_Bce4pwij9FQED23SpGuvjqm5awHhg@mail.gmail.com>
2020-02-24 13:22 ` Andreas Ziegler
2020-02-24 14:07 ` Hammami Omar
2020-02-24 15:16 ` Hammami Omar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.