OpenSSH and host keys

[Kelledin]

I just looked at the BLFS book and noticed that OpenSSH (Chapter 
22) leaves out commands to generate hostkeys!

I'd just contribute a patch of some kind to do it, except for a 
detail we need to consider on this point: when's the best time 
to generate host keys?

Technically, the best time to generate keys is when the entropy 
on /dev/*random is highest.  Entropy typically goes up the 
longer the system runs.  So, it makes sense to put the keygen 
commands in the init script, such that keys don't get generated 
until right before they're needed--i.e. have the script check 
for the keys and generate them if needed.

The hitch with this is, it creates a tendency for the service to 
be started only on reboot.  And if the entropy of /dev/*random 
isn't maintained across reboots, then that means the init script 
will likely start (and generate keys) at a time when entropy is 
close to its all-time low.  Muy malo, muy malo.

So...what does it take to have lfs-bootscripts save entropy 
across reboots?  I vaguely remember slackware doing this, but I 
never bothered to find out how it went about that, or how well 
its technique worked.  I imagine it's probably something simple, 
like saving some-odd bytes of /dev/random before shutting down 
and then writing them back to /dev/random on the next boot.  
Then we have to ask: what's the optimal size for a stored 
entropy seed?

(Oh, and BLFS Chapter 18 refers to Chapter 23 for OpenSSH, when 
it really should refer to Chapter 22.)

-- 
Kelledin
"If a server crashes in a server farm and no one pings it, does 
it still cost four figures to fix?"