Re: where to set/override entropy $random_file location?

[Greg Troxel <gdt%lexort.com@localhost>]

Steve Rikli <sr%genyosha.net@localhost> writes:

> So I have a working setup if needed, but I think there's a disconnect
> in how/where $random_file is set, or documentation, or both.  From the
> man page it seems like /etc/rc.d/random_seed is intended to source
> /etc/security.conf but it's apparently not happening.

My quick reaction is that while getting entropy is security-relevant,
this situation doesn't make sense.  Reading code briefly, I think
/etc/security is saving entropy daily so that if there is a reboot,
there will be fresher bits.  I obviously didn't write that code -- if I
did you could tell because there's be comment about 5x as long as the
code :-)  But seriously it's trickier because /etc/rc.d/random_seed
stores on shutdown, and by default nothing is set for security.
I'd say:

  The location of the file should be defined in one place, and rc.conf
  is the right place.

  I'm unclear on whether we have not-set/fallback as a preferred pattern
  in rc.d, vs set-in-defaults/use-it.  I suspect we can avoid this
  question.

  There is a separate config knob about whether /etc/security should
  save random_seed daily.  Arguably a boolean variable in
  /etc/security.conf could enable that.

  If /etc/security wants to save random_seed, I think it should just
  "/etc/rc.d/random_seed stop", which is sort of abusive because it
  relies on knowing that stop is save not stop, but maybe we can add a
  "checkpoint" verb.