[OpenWrt-Devel] Removing Telnet

Wed Sep 9 04:44:22 EDT 2015

Steven Barth wrote at Wed Sep 9 08:10:18 CEST 2015:
 > Lack of entropy doesn't seem to be too much of an issue here, in fact in 
failsafe mode we generate a 1024 bit RSA-key on demand which takes <2s on my 
old Buffalo here. Granted its only 1024-bit but still. Now the regular keys 
are 2048-bit which takes about a minute which could be seen as problematic.

That time seems to vary by router. I tested yesterday with my ar71xx/WNDR3700 
r46803:
removing the RSA-key before reboot (and thus forcing the dropbear init script 
to generate a new key before launching the actual dropbear process) will 
delay the launch of the dropbear process by some 15 seconds. That can be 
easily seen from the system log by comparing the timestamps and the position 
of dropbear startup message in the log. The 15 second delay was consistent on 
several reboots with r46803.

Running the dropbear key generation manually from console takes only 2-3 
seconds, but then the router is already fully up and has generated more entropy.

Interestingly, right now with r46832, the recent ip/ifconfig changes have 
apparently caused some additional lag to the key generation in a normal boot, 
as the dropbear startup delay with key generation is now 39 seconds. Below 
are two log excerpts showing the impact.
* If RSA key exists, the dropbear startup is consistently at the same place 
right after mtdblock handling.
* If the key needs to be generated, dropbear starts 39 secs later. (log shows 
the sysfixtime clock jump for clarity)

I briefly tested the failsafe mode, and there dropbear ssh seems to be 
reachable some 15-20 seconds after the failsafe mode has been selected (led 
blinks rapidly). That is consistent with the yesterday's observations about 
the key generation at startup.

Reboot, normal, RSA key exists
=====================================
Tue Sep  8 22:40:01 2015 kern.info kernel: [   18.152072] ieee80211 phy1: 
Atheros AR9280 Rev:2 mem=0xb0010000, irq=41
Tue Sep  8 22:40:03 2015 user.emerg : this file has been obsoleted. please 
call "/sbin/block mount" directly
Tue Sep  8 22:40:04 2015 daemon.err block: mounting /dev/mtdblock4 (squashfs) 
as /mnt/mtdblock4 failed (-1) - No error information
Tue Sep  8 22:40:04 2015 daemon.err block: /dev/mtdblock5 is already mounted
Tue Sep  8 22:40:05 2015 authpriv.warn dropbear[1251]: Failed loading 
/etc/dropbear/dropbear_ecdsa_host_key
Tue Sep  8 22:40:05 2015 authpriv.info dropbear[1251]: Not backgrounding
Tue Sep  8 22:40:06 2015 daemon.err insmod: module is already loaded - 
xt_multiport
Tue Sep  8 22:40:06 2015 daemon.err insmod: module is already loaded - xt_comment
Tue Sep  8 22:40:06 2015 daemon.err insmod: module is already loaded - xt_length
Tue Sep  8 22:40:07 2015 daemon.err insmod: module is already loaded - 
xt_multiport
Tue Sep  8 22:40:07 2015 kern.debug kernel: [   26.527131] ar71xx: pll_reg 
0xb8050010: 0x11110000

Reboot, RSA key deleted before reboot
=====================================
Tue Sep  8 22:40:04 2015 daemon.err block: mounting /dev/mtdblock4 (squashfs) 
as /mnt/mtdblock4 failed (-1) - No error information
Tue Sep  8 22:40:04 2015 daemon.err block: /dev/mtdblock5 is already mounted
Tue Sep  8 22:40:06 2015 daemon.err insmod: module is already loaded - 
xt_multiport
Tue Sep  8 22:40:06 2015 daemon.err insmod: module is already loaded - xt_comment
Tue Sep  8 22:40:06 2015 daemon.err insmod: module is already loaded - xt_length
...
Tue Sep  8 22:40:36 2015 user.notice SQM: cur_target: auto cur_bandwidth: 10000
Wed Sep  9 10:57:12 2015 user.notice SQM: get_target defaulting to auto.
...
Wed Sep  9 10:57:21 2015 authpriv.warn dropbear[3625]: Failed loading 
/etc/dropbear/dropbear_ecdsa_host_key
Wed Sep  9 10:57:21 2015 authpriv.info dropbear[3625]: Not backgrounding
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel