[OpenWrt-Devel] Removing Telnet
Hannu Nyman
hannu.nyman at iki.fi
Wed Sep 9 04:44:22 EDT 2015
Steven Barth wrote at Wed Sep 9 08:10:18 CEST 2015:
> Lack of entropy doesn't seem to be too much of an issue here, in fact in
failsafe mode we generate a 1024 bit RSA-key on demand which takes <2s on my
old Buffalo here. Granted its only 1024-bit but still. Now the regular keys
are 2048-bit which takes about a minute which could be seen as problematic.
That time seems to vary by router. I tested yesterday with my ar71xx/WNDR3700
r46803:
removing the RSA-key before reboot (and thus forcing the dropbear init script
to generate a new key before launching the actual dropbear process) will
delay the launch of the dropbear process by some 15 seconds. That can be
easily seen from the system log by comparing the timestamps and the position
of dropbear startup message in the log. The 15 second delay was consistent on
several reboots with r46803.
Running the dropbear key generation manually from console takes only 2-3
seconds, but then the router is already fully up and has generated more entropy.
Interestingly, right now with r46832, the recent ip/ifconfig changes have
apparently caused some additional lag to the key generation in a normal boot,
as the dropbear startup delay with key generation is now 39 seconds. Below
are two log excerpts showing the impact.
* If RSA key exists, the dropbear startup is consistently at the same place
right after mtdblock handling.
* If the key needs to be generated, dropbear starts 39 secs later. (log shows
the sysfixtime clock jump for clarity)
I briefly tested the failsafe mode, and there dropbear ssh seems to be
reachable some 15-20 seconds after the failsafe mode has been selected (led
blinks rapidly). That is consistent with the yesterday's observations about
the key generation at startup.
Reboot, normal, RSA key exists
=====================================
Tue Sep 8 22:40:01 2015 kern.info kernel: [ 18.152072] ieee80211 phy1:
Atheros AR9280 Rev:2 mem=0xb0010000, irq=41
Tue Sep 8 22:40:03 2015 user.emerg : this file has been obsoleted. please
call "/sbin/block mount" directly
Tue Sep 8 22:40:04 2015 daemon.err block: mounting /dev/mtdblock4 (squashfs)
as /mnt/mtdblock4 failed (-1) - No error information
Tue Sep 8 22:40:04 2015 daemon.err block: /dev/mtdblock5 is already mounted
Tue Sep 8 22:40:05 2015 authpriv.warn dropbear[1251]: Failed loading
/etc/dropbear/dropbear_ecdsa_host_key
Tue Sep 8 22:40:05 2015 authpriv.info dropbear[1251]: Not backgrounding
Tue Sep 8 22:40:06 2015 daemon.err insmod: module is already loaded -
xt_multiport
Tue Sep 8 22:40:06 2015 daemon.err insmod: module is already loaded - xt_comment
Tue Sep 8 22:40:06 2015 daemon.err insmod: module is already loaded - xt_length
Tue Sep 8 22:40:07 2015 daemon.err insmod: module is already loaded -
xt_multiport
Tue Sep 8 22:40:07 2015 kern.debug kernel: [ 26.527131] ar71xx: pll_reg
0xb8050010: 0x11110000
Reboot, RSA key deleted before reboot
=====================================
Tue Sep 8 22:40:04 2015 daemon.err block: mounting /dev/mtdblock4 (squashfs)
as /mnt/mtdblock4 failed (-1) - No error information
Tue Sep 8 22:40:04 2015 daemon.err block: /dev/mtdblock5 is already mounted
Tue Sep 8 22:40:06 2015 daemon.err insmod: module is already loaded -
xt_multiport
Tue Sep 8 22:40:06 2015 daemon.err insmod: module is already loaded - xt_comment
Tue Sep 8 22:40:06 2015 daemon.err insmod: module is already loaded - xt_length
...
Tue Sep 8 22:40:36 2015 user.notice SQM: cur_target: auto cur_bandwidth: 10000
Wed Sep 9 10:57:12 2015 user.notice SQM: get_target defaulting to auto.
...
Wed Sep 9 10:57:21 2015 authpriv.warn dropbear[3625]: Failed loading
/etc/dropbear/dropbear_ecdsa_host_key
Wed Sep 9 10:57:21 2015 authpriv.info dropbear[3625]: Not backgrounding
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list