This blog discusses an issue regarding starved entropy on boot up
that
can especially affect x86 and ARM:
Depending on the purpose for which openssh intends to use that
entropy, it should not be using GRND_RANDOM, and instead accept
entropy from the urandom source[1][2]. I can't think of a
particularly good reason why sshd would need a whole bunch of
*disjoint* entropy at start-up.
The important bit from Bernstein:
"The Linux /dev/urandom manual page claims that without new entropy the user is
"theoretically vulnerable to a cryptographic attack", but (as I've mentioned
in various venues) this is a ludicrous argument ..."
I think sshd is probably being too paranoid, at least when
you consider it in the context of Linux's urandom implementation.
-Phil
[1]
http://blog.cr.yp.to/20140205-entropy.html
[2]
https://www.2uo.de/myths-about-urandom/