/dev/random vs. /dev/urandom and the krb5 test suite

Sam Hartman hartmans at MIT.EDU
Thu Jun 18 14:21:10 EDT 2009

So, during normal operation I would not expect Kerberos to use
/dev/random much.
I'd expect it to get used at

* kadmind startup
* kdb5_util usage
* possibly (but probably not) krb5kdc

The idea is that long-term cryptographic keys such as TGT keys and
service keys should use /dev/random to initialize the PRNG.  I would
not expect the KDC or clients to use /dev/random during normal
operation nor would I expect startup of KDC and kadmind to use
non-constant data from /dev/random.

So, if you do create a krb5.conf option, I think having big warning
flags would be entirely appropriate.  I don't think you should ever
need that option in a production environment.

More information about the krbdev mailing list