/dev/random vs. /dev/urandom and the krb5 test suite

Jeffrey Hutzelman jhutz at cmu.edu
Thu Jun 18 11:55:55 EDT 2009

--On Thursday, June 18, 2009 08:37:04 AM -0400 Don Davis 
<dodavis at redhat.com> wrote:

> hi, greg --
>       have you tried just adding entropy to the pool
> during your tests, so that /dev/random won't stall?
> running "find / -name foo" on a spare disk ought to
> suffice for this.

Or it might cause all sorts of problems as the machine grinds to a halt 
trying to traverse all of /afs.

A trick like that might be appropriate for one individual working around a 
problem, but it's not something that the tests can safely do automatically, 
and the tests should Just Work(tm), so that anyone building Kerberos can 
run the tests and not have to know special tricks to get them working.

Greg, I'm not sure where I stand on making it easy for people to configure 
Kerberos to use /dev/urandom.  In a lot of cases, /dev/urandom is going to 
be "good enough", since while it doesn't directly derive every bit of 
output from an independent random physical event, it is supposed to at 
least be the output of a cryptographically-strong PRNG.  IMHO /dev/random 
tends to get overused just a little.

If you don't want to create too tempting a knob, you could call the option 
something like debug_test_random_data_source and set it to a path.  This 
would have the added benefit of allowing one to provide a fixed, 
reproducible set of "random" data if needed for tests or debugging.

-- Jeff

More information about the krbdev mailing list