/dev/random vs. /dev/urandom and the krb5 test suite
Jeffrey Hutzelman
jhutz at cmu.edu
Thu Jun 18 11:55:55 EDT 2009
--On Thursday, June 18, 2009 08:37:04 AM -0400 Don Davis
<dodavis at redhat.com> wrote:
> hi, greg --
>
> have you tried just adding entropy to the pool
> during your tests, so that /dev/random won't stall?
> running "find / -name foo" on a spare disk ought to
> suffice for this.
Or it might cause all sorts of problems as the machine grinds to a halt
trying to traverse all of /afs.
A trick like that might be appropriate for one individual working around a
problem, but it's not something that the tests can safely do automatically,
and the tests should Just Work(tm), so that anyone building Kerberos can
run the tests and not have to know special tricks to get them working.
Greg, I'm not sure where I stand on making it easy for people to configure
Kerberos to use /dev/urandom. In a lot of cases, /dev/urandom is going to
be "good enough", since while it doesn't directly derive every bit of
output from an independent random physical event, it is supposed to at
least be the output of a cryptographically-strong PRNG. IMHO /dev/random
tends to get overused just a little.
If you don't want to create too tempting a knob, you could call the option
something like debug_test_random_data_source and set it to a path. This
would have the added benefit of allowing one to provide a fixed,
reproducible set of "random" data if needed for tests or debugging.
-- Jeff
More information about the krbdev
mailing list