Subject: insufficient entropy for rnd
To: None <tech-crypto@NetBSD.org>
From: Rumi Szabolcs <firstname.lastname@example.org>
Date: 08/11/2003 20:19:00
I've got a server running NetBSD/i386 which is getting a
relatively low load. I'm running sendmail on it using SMTP
authentication via Cyrus SASL, which seems to use /dev/random.
When a mail gets relayed in such an authenticated manner,
sendmail often drops the connection with a timeout during
the authentication process which I believe is due to insufficient
randomness coming out of /dev/random so that read is blocking
so long that the SMTP connection gets timed out. When I make
a "find / -name blahblah" that puts some load on the filesystem
so that more entropy is gathered by rnd, this instantly revives
sendmail and the authentication succeeds...
Maybe Cyrus SASL (mine is 2.1.12 from pkgsrc) could be compiled
to use /dev/urandom instead, but for me this sounds more like
a workaround than a solution at least for a crypto purpose.
Wouldn't it be better to figure out more entropy sources
for a better feed of rnd? I also wonder how big the entropy
gathering pool is and how long it "caches" the entropy
that has been gathered.