[ntp:questions] /dev/random as opposed to //.rnd

coniptor at gmail.com coniptor at gmail.com
Fri May 11 18:38:40 UTC 2007


This is my first post to the ntp list. I've been googling around for
answers regarding autokey with ntp as I've only ever setup a non
encrypted/secured ntp configuration.

I've been tasked with setting up autokey in the environment and
thought I had IFF working, I'm not so sure now, since reading some of
the other posts regarding the TC scheme.

I did come across something I would like an answer to if possible.
I'm no cryptology expert but in my years as an administrator and
reviewing different docs on the internet I've come to understand that
with regard to encryption /dev/random is great as long as you have
random data to feed the entropy pool and /dev/urandom is not so great
as it's not truly random. I had trouble getting ntpd to stay up and
running and after reviewing the logs saw it was dieing saying it could
not open //.rnd. I looked around for any information regarding this
and found out that it is read by both ntp-keygen and ntpd to both
create the keys and perform the encrypted handshake or "dance."

My question then is WHY is /dev/random not used? What is the reasoning
for this? ssh uses /dev/random to my knowledge and I believe openssl
does too. I tried linking from /root/.rnd and /etc/ntp/.rnd (ntpd is
running as user ntp) to /dev/random and when doing this I could not
generate keys and ntpd would not start correctly. I tried instead of
creating a sym link to mknod the random file into existence under the
name .rnd and had the same problem.

Is ntpd and ntp-keygen's non-use of /dev/random considered a bug? Will
ntpd and ntp-keygen ever support /dev/random? In the meantime doesn't
it defeat the WHOLE purpose of using encryption all together to rely
upon a static .rnd file created from /dev/random? I mean it's using
the SAME entropy data each time it's opened unless for instance you
recreate .rnd before each new key is created or once every hour for a
running ntpd. What if a cronjob recreates the .rnd file in the middle
of ntpd or ntp-keygen reading from it?

Just been wondering is all.

More information about the questions mailing list