Re: cprng sysctl: WARNING pseudorandom rekeying.

[Robert Elz <kre%munnari.OZ.AU@localhost>]

    Date:        Fri, 9 Nov 2012 17:49:16 -0500
    From:        Thor Lancelot Simon <tls%panix.com@localhost>
    Message-ID:  <20121109224916.GB29097%panix.com@localhost>

  | Ah, right!  You need to edit rc.conf and boot.cfg to reflect this.  Some
  | systems put the entropy file in /etc for this reason.

I installed a new system and modified it that way, and did a few reboots
of it, and that makes (at least) the boot time message go away (this system
never ran long enough to get to the next one, and isn't doing any work
that I'd assume would cause it to consume bits).

However, I really don't think it is a good idea for the default location
for this file to be on a filesystem that is often not mounted at boot
time - so much so that sysinst actually even offers to create /var
as one of the (very few) possible mount points it has knowledge of
(just /, of course, /usr /var /tmp and /home)

I would suggest moving the default someplace else, somwehere that will
always be on the root filesys.   (Even that isn't necessarily enough,
my work system, which is nowhere near -current so doesn't have this
issue, it boots from a filesystem that never even normally gets mounted,
its root is an autoconfig'd raid - there's no way for the running system
to write a file that will be visible to the boot code).

from your earlier message ...

  | That's more serious, then.  That means something on your system is pulling
  | a comparatively huge number of bits from the general-purpose kernel RNG
  | instance, and nothing's putting enough bits into the pool to rekey it.

I do do a fair amount of ssh'ing (not unusual for a dozen xterms all to have
ssh clients running in them, and some of them stop and restart moderately
frequently - stupid NAT in the path that keeps screwing up).  Unless a
generic browser (not connecting to anything much that would need a login,
or use https) consumes bits, I doubt there would be many other consumers.

This is on a virtualbox hosted system, there's probably not much there
that I'd trust to actually provide sources of random bits.

kre