You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2022/06/11 20:15:29 UTC

[GitHub] [couchdb-pkg] Inperpetuammemoriam opened a new pull request, #98: Fix generation of random cookie value

Inperpetuammemoriam opened a new pull request, #98:
URL: https://github.com/apache/couchdb-pkg/pull/98

   ## Overview
   
   This pull request addresses the problem where the installation via the provided RPM package would not terminate on some systems. This is due to the choice of using `/dev/random` as the source for the generation of the random cookie value.
   
   ## Testing recommendations
   
   This can be tested by installing the RPM package without providing the `COUCHDB_COOKIE` environment variable.
   
   ## Checklist
   
   - [X] Code is written and works correctly;
   - [ ] Changes are covered by tests;
   - [ ] Documentation reflects the changes;
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] nickva commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

nickva commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1153216773

   @lostnet what do you think? I recall we specifically went with `/dev/random` to have the installation block if there is not enough entropy. https://github.com/apache/couchdb-pkg/pull/95


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] lostnet commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

lostnet commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1274356556

   More context might help but if they are really hanging for lack of entropy
   that's exactly what I thought should happen to make sure we meet the plan
   on a password with enough entropy or from the user.
   
   On Sun, Jun 12, 2022, 18:03 Nick Vatamaniuc ***@***.***>
   wrote:
   
   > @lostnet <https://github.com/lostnet> what do you think? I recall we
   > specifically went with /dev/random to have the installation block if
   > there is not enough entropy. #95
   > <https://github.com/apache/couchdb-pkg/pull/95>
   >
   > —
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1153216773>,
   > or unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/AAK3LPLAWVRYJMQZLEU6563VOYCR7ANCNFSM5YQSMOTA>
   > .
   > You are receiving this because you were mentioned.Message ID:
   > ***@***.***>
   >
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] lostnet commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

lostnet commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1154263128

   > Wonder if there is any buffering when input is piped into head so we could disable it and read only as many as needed (say if read 256 bytes at a time...).
   
   Looking at an strace of `head -c /dev/random` it is reading 4k at a time so that could have been raising the amount of bytes read to feed it considerably. It looks like dd does do a byte at a time (hopefully dd is always available on these distributions?):
   `dd if=/dev/random bs=1 count=38 status=none | base64 | tr -cd [:alnum:]  ; echo`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] Inperpetuammemoriam closed pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

Inperpetuammemoriam closed pull request #98: Fix generation of random cookie value
URL: https://github.com/apache/couchdb-pkg/pull/98


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] nickva commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

nickva commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1154338849

   @lostnet https://github.com/apache/couchdb-pkg/pull/99


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] nickva commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

nickva commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1154279508

   @lostnet good find! I checked in docker on centos:7 and 8 and it seems to work in both cases.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] Inperpetuammemoriam commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

Inperpetuammemoriam commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1153921567

   The VM is far from brand new. The initial value for `entropy_avail` was as high as 3874 when starting the installation. After more than six hours it still hasn't finished, eventhough more than 250000 bits of entropy have been gathered.
   
   A more efficient usage of the available entropy is certainly a good idea as the entropy is a limited resource that is also needed by other system components. However, I do not expect that to really solve the problem as that would only reduce the installation time to roughly one fourth of the time.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] lostnet commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

lostnet commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1153742212

   I don't really see any technical disagreement I have with that analysis. The opinions in it seem to mostly relate to situations where people  misunderstand urandom's weakness as applying to more than low entropy situations. It seems to me like you are installing a brand new VM in a very isolated environment. I think that is the primary situation where random's attempt to estimate lack of entropy is necessary.
   
   I think the method used on random could require a bit less entropy by converting to a valid cookie instead of filtering to a valid cookie?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] Inperpetuammemoriam commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

Inperpetuammemoriam commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1154359570

   The problem has been fixed in #99.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] Inperpetuammemoriam commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

Inperpetuammemoriam commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1153566571

   I have started a new installation attempt on a VM a few minutes ago and I am monitoring the amount of entropy by regularily dumping `/proc/sys/kernel/random/entropy_avail`. I will let you know the outcome of it.
   
   From what I know `/dev/urandom` should be sufficient in most but a few corner cases. (e.g. after the system's first boot) I recommend reading [this](https://www.2uo.de/myths-about-urandom/) analysis.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] lostnet commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

lostnet commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1153271713

   More context might help but if they are really hanging for lack of entropy that's exactly what I thought should happen to make sure we meet the plan on a password with enough entropy or from the user.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] nickva commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

nickva commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1154231149

   That makes sense, @lostnet, agree with `/dev/random` we wanted to ensure the key has enough entropy in it.
   
   Good idea to use the entropy a bits more efficiently by not filtering.  Run it through base64 first then just strip the + and / to stay alphanumeric (effectively turn it into base62). May be add a few extra characters to compensate for any lost + and / characters. We don't actually care about decoding the base64 output, just that it's random enough and long enough.
   
   ```
   # head -c 38 /dev/random | base64 | tr -cd [:alnum:]  ; echo
   FFkQ9fscOJPl6UaQusKfB1QKoypQQ4vQRM3rtP4IRxrq9U
   ```
   
   Wonder if there is any buffering when input is piped into `head` so we could disable it and read only as many as needed (say if read 256 bytes at a time...).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-pkg] rnewson commented on pull request #98: Fix generation of random cookie value

Posted by GitBox <gi...@apache.org>.

rnewson commented on PR #98:
URL: https://github.com/apache/couchdb-pkg/pull/98#issuecomment-1168335585

   should be /dev/urandom anyway (https://www.2uo.de/myths-about-urandom/).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org