Bug 2207488
| Summary: | clevis luks bind failed with "Password generation failed - required entropy too low for settings" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Ding-Yi Chen <dchen> |
| Component: | clevis | Assignee: | Sergio Arroutbi <sarroutb> |
| Status: | CLOSED ERRATA | QA Contact: | Martin Zelený <mzeleny> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.1 | CC: | dapospis, michael.goddard, mzeleny, sarroutb |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | sarroutb:
needinfo-
pm-rhel: mirror+ |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | clevis-18-112.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-07 08:29:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ding-Yi Chen
2023-05-16 06:09:42 UTC
Upstream [1] does have similar discussion, yet it was talking about warning "Value 512 is outside of the allowed entropy range, adjusting it.", which is just a harmless warning from pwmake. However, the issue does not discuss in depth about "Password generation failed - required entropy too low for settings" 1. https://github.com/latchset/clevis/issues/321 Hello @dchen. I could reproduce the issue on RHEL9.1. However, it seems it is fixed in RHEL9.2, possible because of this fix: https://bugzilla.redhat.com/show_bug.cgi?id=2159735 Could you please verify it in RHEL9.2? Besides this, take into accout pwmake takes its entropy from /dev/urandom file, so proposed fix with /dev/urandom is not a correct alternative way IMHO. (In reply to Sergio Arroutbi from comment #2) > Hello @dchen. > > I could reproduce the issue on RHEL9.1. However, it seems it is fixed in > RHEL9.2, possible because of this fix: > https://bugzilla.redhat.com/show_bug.cgi?id=2159735 > > Could you please verify it in RHEL9.2? That fix just caps the bit to 256. It does make the following warning go away. "Value 512 is outside of the allowed entropy range, adjusting it." Still, if `pwmake 256` failed, clevis luks bind failed as well. I can still reproduce the bug with RHEL 9.2. In order to properly reproduce the issue, use the following /etc/security/pwquality.conf ~~~ minlen = 15 ucredit = -1 dcredit = -1 maxclassrepeat = 4 minclass = 4 maxrepeat = 3 lcredit = -1 difok = 8 dictcheck = 1 ocredit = -1 ~~~ And run the following loop: ~~~ for((i=0;i<30;i++));do pwmake 256; done ~~~ My RHEL 9.2 shows ~~~ Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings 8imQes4Get4xCYxalZOmt Error: Password generation failed - required entropy too low for settings +iwLaGGoq[Us2Icv@g3g!yc&Iv0x@B,UGreN73H5@L)YL@S3k-aw; Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings )3LTobV@r^aRQ4zar4zOK0jk4n!USoc.yh#ONiL&up%Iz7yM@zYzH Error: Password generation failed - required entropy too low for settings yK3t4LYbIzahOfOg5oq*UfozJyJ6UbeLj4MiGIr1@J3GmEG%3G)uw; Error: Password generation failed - required entropy too low for settings UHbUh[Urb4sIj;ulKuS3R@GD0skUttAR83KYxErMucHUn]UxxEn90 Error: Password generation failed - required entropy too low for settings t4maNAk=Otem^0N$AN6@r8UkaR*efUdyLsiq,OzYgVoB3P-@bpONv Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings VISreBPAl=UhIp0jEcih5yzUgYzdOtyD;YSq0zPixaGuBLAkq4pvOv Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings Error: Password generation failed - required entropy too low for settings LupBOgdYSxyPyJ4p4N-axOfp3zaK4g;4f3lr0mDil0GoKew(0GoM^E ~~~ Less that half success. > > Besides this, take into accout pwmake takes its entropy from /dev/urandom > file, so proposed fix with /dev/urandom is not a correct alternative way > IMHO. I am fully aware that both my workaround and pwmake use /dev/urandom. That implies I am totally not against the usage of /dev/urandom. It is fully reasonable that you want to hang on pwmake. So how about: replace ~~~ pwmake "${bits}" ~~~ with ~~~ for((i=0;i<50;i++));do if pwmake "${bits}" 2>/dev/null; then break; fi; done ~~~ This loop attempts to generate a password using the 'pwmake' command. It iterates 50 times or until a password is successfully generated via pwmake Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (clevis bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6386 |