MIT Krb5 + SELinux

Jeffrey Hutzelman jhutz at cmu.edu
Tue Apr 13 15:01:44 EDT 2004 


On Tuesday, April 13, 2004 03:00:40 +0200 Jerome Walter 
<walter+kerberos at efrei.fr> wrote:

> By the way, a common constant on the programs is that most want access
> do urandom devices, but do not require it really. I guess, that to
> create tickets, kdc do need access to the device, otherwise the work
> could be altered.

The session keys used to protect communications between clients and servers 
in Kerberos-authentication applications are generated by the KDC.  In fact, 
the acronym KDC stands for "Key Distribution Center", and these session 
keys are the keys being distributed.  The KDC generates a new session key 
every time it issues a ticket, and in order to generate good keys, it must 
have access to a decent source of entropy.

In addition, all parties involved in the Kerberos protocol -- clients, 
application servers, and the KDC -- require a source of random data with 
which to generate random confounders.  In some cases there are additional 
random strings required, depending on the application protocol.

Finally, one of the services offered by the admin server is the ability to 
set a principal's long-term key(s) randomly.  This is often used when 
keying services, for which a strong key is desirable.  Of course, this 
capability also requires access to a good source of entropy.


Note that in general, Kerberos tools and libraries which expect to be able 
to access /dev/urandom probably won't just "work differently" without it; 
they may refuse to operate at all, generating errors instead.


It is worth noting that /dev/urandom is not a source of random data.  It is 
the output of a cryptographically-strong (we hope) pseudo-random number 
generator, which in turn is _seeded_ by random data.  As such, /dev/urandom 
is not a limited resource; it can churn out pseudo-random bytes at more or 
less any desired rate.  So there is not generally any reason to prevent 
access by any process that desires it.


-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list