Hi Timo,
/dev/urandom is an exhaustible source and therefore it is not
theoretically suitable for direct use in cryptography. (esp on a
webserver where entropy exhaustion may be forced through repeated
requests)
You should not read large volumes of random from the kernel, and
instead should use it to seed a crypto-secure prng (as openssl
does); here's why
"
The kernel random-number generator is designed to produce a small
amount of high-quality seed material to seed a cryptographic pseudo-
random number generator (CPRNG). It is designed for security, not
speed, and is poorly suited to generating large amounts of random
data. Users should be very economical in the amount of seed material
that they read from /dev/urandom (and /dev/random); unnecessarily
reading large quantities of data from this device will have a
negative impact on other users of the device.
"
http://man7.org/linux/man-pages/man4/random.4.html
Keeping an eye on the forking issue, and understanding where the
openssl random is being seeded (ie, that you're not cloning the
random generator's seed) is important, but directly reading urandom
isnt really the solution either and may result in problems down the
road.
--
Kevin McArthur