Ubuntu – How to get /dev/random to work on an Ubuntu virtual machine

kerberosrandom-number-generatorUbuntuvirtual-machines

Apparently, /dev/random is based on hardware interrupts or similar unpredictable aspects of physical hardware. Since virtual machines don't have physical hardware, running cat /dev/random within a virtual machine produces nothing. I'm using Ubuntu Server 11.04 as the host and guest, with libvirt/KVM.

I need to set-up Kerberos inside a VM, but krb5_newrealm just hangs forever "Loading random data", since the system isn't producing any.

Does anyone know how to work around this? Is is possible to pass the host's /dev/random (which is very chatty) into the vm so the vm can use it's random data?

I've read that there are some software alternatives, but they aren't good for cryptology since they aren't random enough.

EDIT: It appears that cat /dev/random on the vm does produce output, just very, very slowly. I got my realm set-up by waiting about two hours while it was "Loading random data". Eventually it got enough to continue. I'm still interested in a way to accelerate this though.

Best Answer

It should 'just work'. Even though the vm has no dedicated physical hardware, it still has access to several very good sources of randomness. For example, it can use the CPU's TSC to time its read from virtual disks, which will ultimately wind up timing physical disks to the billionth of a second. These timings depend on turbulent airflow shear in the hard drive, which is unpredictable.

Similar logic applies to network traffic. Even though the interface is virtualized, so long as the packet originates on a physical network (and isn't local to the box, say originating in another vm), the packet timing depends on the phase offset between the crystal oscillator on the network card and the crystal oscillator that drives the TSC. This is dependent on microscopic zone temperature variations in the two quartz crystals. This too is unpredictable.

If for some reason it's not working, the simplest solution is to write a program to mine entropy and add it to the system pool. The network interface is your most reliable source. For example, you can write code to:

1) Query the TSC.

2) Issue a DNS query to a server known not to be on the same physical machine.

3) Query the TSC when the query completes.

4) Repeat this a few times, accumulating all the TSC values.

5) Perform a secure hash on the accumulated TSC functions.

6) Pass the secure hash function's output to the system's entropy pool.

7) Monitor the entropy pool level, and wait until it's low. When it is, go back to step 1.

Linux has simple IOCTL calls to add entropy to the pool, check the pool's level, and so on. You probably have rngd, which can take entropy from a pipe and feed it to the system pool. You can fill the pipe from any source you want, whether it's the TSC or 'wget' requests from your own entropy source.

Related Solutions

Ubuntu – Install openssl-dev on Ubuntu server

If the likelihood that the dependencies for the version of a package that is in the release of Ubuntu (or other Debian derived arrangements) is the same as the deps for the version you are trying to build, you could run apt-get build-dep nginx or aptitude build-dep nginx - this will not install the nginx package but will instead install all those listed as dependencies (and their dependencies, as usual) which includes libssl-dev (the package that you are currently looking for).

In most cases this will allow the build of the other (presumably newer) version to be completed successfully, and it saves you installing each library and its header files one by one yourself. Even if there are new dependencies in the other version you are trying to build, build-dep <package> is a good place to start as it means that you only have to manually install the extra new dependencies.

As an example, the result on one of my servers is:

user@host:~$ sudo aptitude build-dep nginx
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initialising package states... Done
The following NEW packages will be installed:
  autotools-dev cvs{a} debhelper gettext{a} html2text{a} intltool-debian{a}
  libcroco3{a} libmail-sendmail-perl{a} libpcre3-dev libpcrecpp0{a}
  libssl-dev libsys-hostname-long-perl{a} po-debconf{a} zlib1g-dev
0 packages upgraded, 14 newly installed, 0 to remove and 19 not upgraded.
Need to get 7,217kB of archives. After unpacking 22.9MB will be used.
Do you want to continue? [Y/n/?]

It is intending to install some libraries and headers, to enable an nginx build, but not nginx itself.

One thing to note is that if you are compiling your own copy because you want different build options rather than needing a different version for some reason, you may be better of compiling from the repository's source for the package rather than using the upstream sources directly. This SO question is the first useful page that came out of a quick search, though you are likely to find more detailed tutorials easily if you need that.

_{An other small thing to note: the packages installed as a result of apt-get build-dep will be marked as manually installed as if you have done this by hand as you are currently doing. That means you can't remove them all in one go (there is no apt-get unintall-dep or similar) - though that is no different from the situation you'll get from manual library/header installs anyway (I only mention the fact as some people expect there to be a one-step way to undo a build-dep operation, and there is not).}

Bash – How to read in N random characters from /dev/urandom

random="$(dd if=/dev/urandom bs=3 count=1)"

if specifies the input file, bs the block size (3 bytes), and count the number of blocks (1 * 3 = 3 total bytes)

Best Answer

Related Solutions

Ubuntu – Install openssl-dev on Ubuntu server

Bash – How to read in N random characters from /dev/urandom

Related Topic