Le 21/12/2013 16:06, Emmanuel Dreyfus a écrit :
I have that messages on an i386 6.1.2 Xen machine: cprng cpu0-short: WARNING pseudorandom rekeying. cprng 47814d1: WARNING pseudorandom rekeying. cprng sysctl: WARNING pseudorandom rekeying. What does it means? I just upgraded the kernel to 6.1.2 to regenerate weak RSA keys generated on 6.0. The warning suggests pseudorandom generator could be kinked. Is it safe to generate keys?
I suppose you get these messages at boot from a domU.It means that the RNG was seeded with a (supposedly) bad state, e.g. with not enough random bits to be deemed safe.
It is generally not safe to keep long term keys generated during that state. The output of "rndctl -s" can show whether the situation is tolerable and evolving (generally when the rc script load the random_seed file).
IMHO long term keys should not be created directly from a domU, let alone a VM; running a "dd if=/dev/random count=16 bs=1" can almost hang indefinetly in a domU, or (even worse) output not-so-random bits with other kind of VM subsystems (KVM without virtio-rng drivers). On a generic host it should return almost instantly.
-- Jean-Yves Migeon