[SOLVED] Insufficient Randomness

loemre · 2023-02-14 08:13:04

I have some experience with Linux systems and finally switched to Arch Linux. The setup went fine and everything seemed to work well until yesterday morning. Since then, I encounter two problems that could have the same source, here I will briefly describe them:

When trying to install from pacman or clone repositories from github (or other sources) using ssl I will get the following message on my arch setup:

fatal: unable to access 'https://github.com/random/repository/to/clone.git': Insufficient randomness

When trying to generate a key pair using ssh-keygen I receive the following error:

PRNG is not seeded

So my guess was, that this has something to do with random generators of the system and researched a lot there.

I did already recreate both

mknod /dev/random c 1 8

and

mknod /dev/urandom c 1 9

using mknod.

I installed the following packages:

* rng-tools 6.16.1 (like explained in this article, but not sure, maybe I did something wrong)
* jitterentropy 3.4.1
* rtl-sdr 10.8.0

I installed Arch Linux last Friday and everything seemed to work fine and I could clone and install packages with git or pacman. For http resources (local home server not reachable from outside it is still working for git repositories. Due to the problems with the ssl connection I cannot not directly use pacman to install new packages or update the installed versions now anymore, but I is possible to download them from a mirror and install them by using pacman -U.

The entropy available seems to be stable at 256, which older pages tell me is way too low, but with the newer kernel versions this should be fine, how I understand. I use a laptop from DELL, if the specs are relevant I can provide them. For all I read, there are a lot of old solutions, but I found no matching problem and not quite relevant for more modern kernels (like using haveged, could be, but should not be necessary how I understood it). Before posting I did not find anything similiar related to arch..

Where I am unsure is this article from the arch wiki:
Should I change the OpenSSL/curl configuration?

To use root privileged to create keys or clone a git does not change a thing.

I hope anyone has an idea that will help me and I will provide any further information that could be helpful for solving the problem. I posted to Newbie Corner, because I am really a newbie to Arch and mostly used the cozy Linux distros, where I could but had not to do too much configuration myself.

Last edited by loemre (2023-02-15 09:07:16)

seth · 2023-02-14 15:46:31

Modern™ CPUs should provide enough™ entropy by default and as

the rng article wrote:

Note: rng-tools is not needed anymore since Kernel 5.6 because /dev/random does not block anymore.

Please reboot, don't mess around w/ the u/random device nodes and post your complete system journal for the boot:

sudo journalctl -b | curl -F 'file=@-' 0x0.st

and also the output of

pacman -Qikk openssh

frostschutz · 2023-02-14 16:42:06

openssl has a function RAND_status() which seems to be failing for you for some reason. The messages you quote occur after such failure.

Does `openssl rand -hex 16` work for you? Did you make any openssl specific configurations (e.g. in /etc/ssl/...?)

By default openssl uses getrandom() syscall so the presence of /dev/random device nodes is unrelated. If the kernels random generator actually failed you should see no end of problems all over the place. Too many things use it. It would not be limited to a single action. Still does not hurt to check dmesg / syslog for related messages.

Last edited by frostschutz (2023-02-14 16:48:21)

loemre · 2023-02-15 08:11:58

Thank you both, for your replies! I figured it could have something to do with openssl or maybe openssh, but I am not sure what to do about it. I will now answer your questions.

Modern™ CPUs should provide enough™ entropy by default and as
the rng article wrote:

Note: rng-tools is not needed anymore since Kernel 5.6 because /dev/random does not block anymore.

Well, dumb as I obviously am, I read this message on the haveged page, but missed it on rng-tools. I uninstalled it, as I should not need it.

Now the output you asked for:

$ sudo journalctl -b | curl -F 'file=@-' 0x0.st
[sudo] password for loemre: 
curl: (27) Insufficient randomness

This was directly after a reboot.

$ pacman -Qikk openssh
Name            : openssh
Version         : 9.2p1-1
Description     : SSH protocol implementation for remote login, command
                  execution and file transfer
Architecture    : x86_64
URL             : https://www.openssh.com/portable.html
Licenses        : custom:BSD
Groups          : None
Provides        : None
Depends On      : glibc  krb5  libkrb5.so=3-64  libgssapi_krb5.so=2-64  ldns
                  libedit  libxcrypt  libcrypt.so=2-64  openssl  pam
                  libpam.so=0-64  zlib
Optional Deps   : libfido2: FIDO/U2F support
                  x11-ssh-askpass: input passphrase in X
                  xorg-xauth: X11 forwarding
Required By     : gcr  gcr-4  gnome-keyring
Optional For    : gnome-control-center  openmpi
Conflicts With  : None
Replaces        : None
Installed Size  : 4.81 MiB
Packager        : Levente Polyak <anthraxx@archlinux.org>
Build Date      : Thu 02 Feb 2023 06:35:47 PM CET
Install Date    : Fri 10 Feb 2023 08:18:57 PM CET
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

warning: openssh: /usr/lib/ssh/ssh-keysign (failed to calculate MD5 checksum)
warning: openssh: /usr/lib/ssh/ssh-keysign (failed to calculate SHA256 checksum)
openssh: 58 total files, 1 altered file

Now to the questions asked by you, frostschutz:

Does `openssl rand -hex 16` work for you?

No, it gives me the following output:

$ openssl rand -hex 16
40D744CAC87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (CTR-DRBG : 0), Properties (<null>)
40D744CAC87F0000:error:12000090:random number generator:rand_new_drbg:unable to fetch drbg:crypto/rand/rand_lib.c:571:

There was not much to find by googling this error message though. What I found out on the other hand: I have two versions of openssl installed.

openssl 3.0.8-1
openssl-1.1 1.1.1.t-1

So then I tried to create a random with the openssl-1.1 package and it did actually work:

$ openssl-1.1 rand -hex 16
46b8e1426a260fc29a5db8b4fee27c84

So it seems to be a problem with openssl.. (or maybe having two versions side by side. Uninstalling openssl-1.1 did not solve the problem on the other hand.. I did install it manually, as openvpn (2.4.9.. I am waiting for a new certificate working with up to date vpn versions...) needed it, but the problem with insufficient randomness was present before that already).

Did you make any openssl specific configurations (e.g. in /etc/ssl/...?)

Other than installing a second opensll version after it already broke, I did not alter the configuration for ssl knowingly. I had some problems with my vpn (which could be fixed by downgradig to 2.4.9), maybe I did alter something there? I downgraded openssl one version and reinstalled the up-to-date version manually, this did also not seem to help..

If you need anything else from me, please let me know, I will provide it if possible. I will research in the openssl direction myself as well and post an update, if anything here was helpful. Thank you again for the great tips you already provided.

frostschutz · 2023-02-15 08:51:58

Sorry, I'm blindly guessing at this point as well.

What do you get for `openssl engine -vv -tt`, `ls -l /usr/lib/engines-3`?

Just to rule out any mischief under /etc/ssl, you could try renaming /etc/ssl to /etc/ssl.disable, run openssl rand again, and rename it back.

You could also run openssl rand with strace and see if it's doing anything weird.

Last edited by frostschutz (2023-02-15 08:54:31)

loemre · 2023-02-15 09:06:54

I am so sorry.. As always it is some kind of layer 8 error...

Did you make any openssl specific configurations (e.g. in /etc/ssl/...?)

After some thinking and research I remebered, that I did in fact alter the ssl config while trying to configure the out of date vpn.. I enabled the legacy support for openssl and after deleting those lines from the ssl config everything worked again. So yeah, user error and I should always remeber to take back changes, that did not help.. Or just be more structured with all changes I do to my system.

Thank you both again for your time and the helpful tips. Have a nice day!

midian · 2023-09-11 12:18:29

seth wrote:

Modern™ CPUs should provide enough™ entropy by default . . . don't mess around w/ the u/random device nodes

Sorry, does this mean installing entropy daemons like haveged (or jitterentropy) is not recommended anymore? The archwiki page for haveged is outdated and now that /proc/sys/kernel/random/poolsize is constantly at 256 I'm not sure what to do. Thanks in advance.

seth · 2023-09-11 12:24:57

zgrep CONFIG_RANDOM_TRUST_CPU /proc/config.gz 
grep rdrnd /proc/cpuinfo

https://wiki.archlinux.org/title/Haveged
https://wiki.archlinux.org/title/Rng-tools
See the comments abotu 5.6 - "not required anymore"

idk. whether it was ever recommended

Arch Linux

#1 2023-02-14 08:13:04

[SOLVED] Insufficient Randomness

#2 2023-02-14 15:46:31

Re: [SOLVED] Insufficient Randomness

#3 2023-02-14 16:42:06

Re: [SOLVED] Insufficient Randomness

#4 2023-02-15 08:11:58

Re: [SOLVED] Insufficient Randomness

#5 2023-02-15 08:51:58

Re: [SOLVED] Insufficient Randomness

#6 2023-02-15 09:06:54

Re: [SOLVED] Insufficient Randomness

#7 2023-09-11 12:18:29

Re: [SOLVED] Insufficient Randomness

#8 2023-09-11 12:24:57

Re: [SOLVED] Insufficient Randomness

Board footer