Subject: Re: add rnd(4) to install floppy
To: Nathan J. Williams <>
From: Steven M. Bellovin <>
List: tech-security
Date: 09/05/2003 11:50:58
In message <>, "Nathan J. Willia
ms" writes:
> (Jun-ichiro itojun Hagino) writes:
>> 	well, then, we should probably put some code into sysinst that warns
>> 	user like "password entries are created with weak random number, you
>> 	will not want to configure root password during this installation
>> 	session" for kernels without rnd(4).
>This seems totally overwrought. All the random number is used for here
>is generating a salt, whose goal is to make dictionary attacks on the
>encrypted password difficult, right? I don't think that requires a
>top-notch random-number generator.

I was about to post the same observation.  (The situation will be 
different if, as itojun suggests, sysinst generates ssh keys, but 
perhaps that should be done at first boot?)

		--Steve Bellovin,