This blog discusses an issue regarding starved entropy on boot up
can especially affect x86 and ARM:
Depending on the purpose for which openssh intends to use that
entropy, it should not be using GRND_RANDOM, and instead accept
entropy from the urandom source. I can't think of a
particularly good reason why sshd would need a whole bunch of
*disjoint* entropy at start-up.
The important bit from Bernstein:
"The Linux /dev/urandom manual page claims that without new entropy the user is
"theoretically vulnerable to a cryptographic attack", but (as I've mentioned
in various venues) this is a ludicrous argument ..."
I think sshd is probably being too paranoid, at least when
you consider it in the context of Linux's urandom implementation.