"Why does ntpkeygen pass a low entropy ignored seed into SystemRandom?""

Gary E. Miller gem at rellim.com
Thu Jan 5 00:31:04 UTC 2017 

Yo Greg!

On Wed, 04 Jan 2017 04:19:58 +0000
Greg Rubin <grrubin at gmail.com> wrote:

> I'll admit that I'm not a python expert by any means, but I'm pretty
> certain that the seed is ignored:
> http://svn.python.org/projects/python/tags/r30rc1/Lib/random.py

Now that I have caught up on other things, I have drilled into this
some more.  I now agree with you that the Python code in 2.x and 3.x
does in fact ignore the seed argument to random.SystemRandom(seed).

But the Python documentation does not say that seed is ignored. it just
says that the method seed() is ignored.

I have filed a Python bug:
    http://bugs.python.org/issue29161

I continue to find the Python docs to be pitiful.  Silly me for believing
them in this case.

As for using /dev/urandom, I have added this to the ntpkeygen man
page:

    WARNING: +ntpkeygen+ uses the system randomness source.  On a POSIX
    system this is usually /dev/urandom.  Immediately after a reboot,
    on any OS, there may not be sufficient entropy available for this
    program to perform well.  Do not run this program from any startup
    scripts.  Only run this program on an active host with a lot of
    available entropy.

Comments on that text are welcome.

Now we just need to find a way to keep the intent of the existing
parameter that has no effect.  The intent if that code was to add some
extra entropy into whatever random.SystemRandom() returned.

RGDS                                                 Veritas liberabit vos
GARY                                                     Quid est veritas?
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com  Tel:+1 541 382 8588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20170104/c8fe317e/attachment.bin>

More information about the devel mailing list