Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD-Current Random Number Generator Broken

Posted by samzenpus on from the protect-ya-neck dept.

First time accepted submitter bobo the hobo writesThe FreeBSD random number has been discovered to be generating possibly predictable SSH keys and SSL certificates for months. Time to regenerate your keys and certs if using FreeBSD-Current. A message to the freebsd-current mailing list reads in part: "If you are running a current kernel r273872 or later, please upgrade your kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not calling randomdev_init_reader, which means that read_random(9) was not returning good random data. read_random(9) is used by arc4random(9) which is the primary method that arc4random(3) is seeded from."

5 of 105 comments (clear)

  1. Re:But FreeBSD is perfect! by Anonymous Coward · · Score: 4, Insightful

    since 1999 when I first started using OpenBSD for security-based boxes, I've never had an issue.

    That you know about.

  2. Non-news.... Bug is in CURRENT not STABLE by tomxor · · Score: 5, Insightful

    Bleeding edge software has bugs?? what

  3. RE:Random Number Generator Broken by Anonymous Coward · · Score: 2, Insightful

    All of these problems will be solved when systemd integrates Rand

  4. Re:But FreeBSD is perfect! by EmeraldBot · · Score: 2, Insightful

    FreeBSD is the new Linux. Full of religious fan boys who act like it was written by God. This old tired line of "Linux is immune to security issues" is now more commonly used with FreeBSD (by idiots).

    You know who started the original BSD? This guy did. He also created the original vi editor, was the creator of the modern day TCP/IP stack, and had a huge hand in the creation of Java. What, praytell, have you done?

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  5. Re:Alternate strategy... by fisted · · Score: 4, Insightful

    my home server [runs public facing sshd] on port 22. You may say this is completely insane.

    Gasp. How extremely uncommon.

    Just don't use keys for remote ssh logins.

    What? Why?

    But based on my experience [...] it appears they [...] may even be counter productive.

    And that is why exactly? None of your post explains that or seems to have anything to do with key-based login at all.

    As everyone knows, you can very easily disable root login in your sshd.conf file which leaves the person on the other end completely incapable of knowing whether or not they ever got your root password right as the response is the same.

    As happens when key-based logins are used. Your point being?

    --
    CLI paste? paste.pr0.tips!