[krbdev.mit.edu #3488] be a little less paranoid with PRNG seeding
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Fri Mar 3 18:41:46 EST 2006
Currently kadmind reads data from /dev/random every time it starts up
to seed the Yarrow PRNG. Not once per N keys generated, nor once per
N minutes of run time, but at every startup. In maintenance, testing
or other cases where restarts are fairly frequent compared to actual
key generation, this is a waste. It would probably be safe to save
some state (originally initialized from /dev/random of course), update
from /dev/urandom at process startup and occasionally thereafter. If
an attacker can get at the state file, they can probably get at the
master key, too.
If insufficient random bits have been generated by the system since
boot time, the read of /dev/random will block. This has occasionally
caused dejagnu test failures when kadmind doesn't start up fast enough
for the timeout settings, but now Tracy is reporting (via Zephyr at
CMU) 25-45 *minute* startup times for kadmind on some NetBSD 3.0
systems.
Ken
More information about the krb5-bugs
mailing list