1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-26 02:57:04 +00:00

Use /dev/random instead of /dev/urandom

/dev/random should be used for crypto-grade RNG.

To make sure use of /dev/random doesn't stall due to lack of entropy, install haveged which fills the entropy pool with sources such as network traffic, key strokes, etc.

On branch master
Your branch is up-to-date with 'origin/master'.

Changes to be committed:
	modified:   setup/dns.sh
	modified:   setup/system.sh
	modified:   setup/webmail.sh
This commit is contained in:
solt 2014-07-20 23:14:13 +02:00
parent 8042ab66ac
commit 69f0e1d07a
3 changed files with 4 additions and 4 deletions

View File

@ -41,13 +41,13 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/keys.conf" ]; then
# instead of /dev/random for noise or else we'll be waiting # instead of /dev/random for noise or else we'll be waiting
# a very long time. The domain name we provide ("_domain_") # a very long time. The domain name we provide ("_domain_")
# doesn't matter -- we'll use the same keys for all our domains. # doesn't matter -- we'll use the same keys for all our domains.
KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 2048 -k -r /dev/urandom _domain_); KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 2048 -k -r /dev/random _domain_);
# Now create a Zone-Signing Key (ZSK) which is expected to be # Now create a Zone-Signing Key (ZSK) which is expected to be
# rotated more often than a KSK, although we have no plans to # rotated more often than a KSK, although we have no plans to
# rotate it (and doing so would be difficult to do without # rotate it (and doing so would be difficult to do without
# disturbing DNS availability.) Omit '-k' and use a shorter key. # disturbing DNS availability.) Omit '-k' and use a shorter key.
ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 -r /dev/urandom _domain_); ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 -r /dev/random _domain_);
# These generate two sets of files like: # These generate two sets of files like:
# K_domain_.+007+08882.ds <- DS record for adding to NSD configuration files # K_domain_.+007+08882.ds <- DS record for adding to NSD configuration files

View File

@ -8,7 +8,7 @@ hide_output apt-get -y upgrade
# Install basic utilities. # Install basic utilities.
apt_install python3 python3-pip wget curl bind9-host apt_install python3 python3-pip wget curl bind9-host haveged
# Turn on basic services: # Turn on basic services:
# #

View File

@ -36,7 +36,7 @@ if [ ! -d /usr/local/lib/roundcubemail ]; then
fi fi
# Generate a safe 24-character secret key of safe characters. # Generate a safe 24-character secret key of safe characters.
SECRET_KEY=$(dd if=/dev/urandom bs=20 count=1 2>/dev/null | base64 | fold -w 24 | head -n 1) SECRET_KEY=$(dd if=/dev/random bs=20 count=1 2>/dev/null | base64 | fold -w 24 | head -n 1)
# Create a configuration file. # Create a configuration file.
# #