Symptoms or Error
A Desktop session started from some Linux systems might be delayed or fail unless you move mouse around or strike keyboard several times.
Users may see error messages such as “Couldn’t read from random dev, and no entropy store, aborting”
Background
From some end point devices with Citrix Receiver for Linux installed, if you click the desktop icon but do not move mouse or strike keyboard further, you might find a transient window of downloading ica file, but it does not start the desktop right away. In some cases, it might be started after 1-2 minutes, but in some other cases, it fails to start at all. However, if you move the mouse around or strike the keyboard several times, the desktop might be started instantly.
Entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators. In some Linux systems, the available entropy might not be enough. Establishing an encrypted HDX/ICA session is required to consume some entropy to be able to proceed. If it has not enough entropy, the system requires some mouse moves or keystrokes to generate enough random numbers to feed entropy bucket.
Over the years Linux OS systems have become more stringent on generating truly random data rather than falling back to pseudo-random number generation. The entropy/random number generation is used to generate secure SSL and similar.
Reporting Issues
Citrix Linux Receiver relies on the Linux OS to provide the entropy for SecureICA and SSL technologies and as such this is not considered a fault with the Linux Receiver issue.??
Customers with this issue should report the issue to the Linux OS vendor and/or the Linux thin-client vendor supplying Citrix Linux Receiver within their image.??
OS and Linux thin-client OEMs are advised to explore using a random number generator demon if their ?? /dev/random device cannot be configured through other means to provide the necessary entropy. This is not a new Linux platform issue and is seen time to time on some devices running Linux.
Solution
In order to check available entropy, type the following command at a shell prompt:
#watch “cat /proc/sys/kernel/random/entropy_avail”
If this entropy number shows around 100, you are likely to face the issue.?? Leave this window open, and start desktop, then you may find the available entropy number decreases to a single digit or even 0, and the session does not start. However, if you move mouse around or strike keyboard for a while, the entropy number will gradually increase to double digits or triple digits, and session start will be successful.
Solutions
Some options are recommended in the Linux Receiver documentation Citrix Product Documentation -?? Troubleshoot.
Rng-tools
rng-tools is intended to give access to values produced by a hardware random number generator. Users should be aware that it is possible to configure rng-tools to use either a pseudo-random number generator or a hardware random number generator:
-
/dev/hwrng (a hardware random number generator)
Or -
/dev/urandom (a pseudo random number generator)
Citrix recommends only the use of the hardware number generator (/dev/hwrng). Note that the recommendation to use rngd assumes that it will be used with a good source of random numbers like a hardware random number generator.
Customers may need to enable a TPM (Trusted Platform Module) or similar on certain hardware.
haveged
One of the software entropy generators is haveged (from Magic Software) daemon, which is available from source code or binary package from many Linux distribution repositories. This works by collecting entropy from sources other than the Linux OS kernel.
Install this package and verify the available entropy number is enough (generally it will be around 1000).
Workarounds
Using pseudo-random data
This is one technique some use to overcome the delay waiting for true entropy by using pseudo-random data generated by diverting the Linux OS to /dev/urandom rather than /dev/random.
SSL relies for its security on generating random keys. The delay comes because /dev/random will wait until enough entropy (randomness) has been collected by the kernel. /dev/urandom will provide random values if they are available or less random values if the collected entropy is low. Citrix does not recommend using pseudo-random entropy as using /dev/urandom reduces security. Whilst for some users on a secure network this may be acceptable, customers should be aware better options exist.
Supporto Citrix
Traduzione automatica
Questo articolo ?? ¨ stato tradotto da un sistema di traduzione automatica e non ?? ¨ stata valutata da persone. Citrix fornisce traduzione automatica per aumentare l'accesso per supportare contenuti; tuttavia, articoli automaticamente tradotte possono possono contenere degli errori. Citrix non ?? ¨ responsabile di incongruenze, errori o danni derivanti dell'uso di articoli automaticamente tradotte.
Citrix技術支持
自動翻譯
這篇文章被翻譯由一個自動翻譯系統,並沒有受到人們的審查。 Citrix提供自動翻譯,增加獲得支持的內容;但是,自動翻譯的文章可能可以包含錯誤。思傑不負責不一致,錯誤或損壞因使用自動翻譯的文章的結果。
Поддержка Citrix
Tradução automática
Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.
시트릭스 지원
자동 번역
이 문서 자동 번역 시스템에 의해 번역 된 사람들에 의해 검토되지 않았다. 시트릭스는 컨텐츠를 지원하기 위해 접근을 높이기 위해 자동 번역을 제공합니다; 그러나, 자동으로 번역 기사 오류를 포함 할 수있다. 시트릭스는 자동으로 번역 된 기사의 사용의 결과로 발생하는 불일치, 오류 또는 손해에 대해 책임을지지 않습니다.