/dev/random vs. /dev/urandom and the krb5 test suite

[John Hascall]

> The krb5 test suite generates a lot of random keying material.  Under
> the assumption that cryptographic keys require "strong" randomness,
> most of that material comes from /dev/random.  This can create stalls
> in some environments; for instance, my Linux box spends a few extra
> minutes per testing run if I don't use a local hack to make lib/crypto
> use /dev/urandom instead.

I have not noticed it in this regard, but I did notice some time ago,
(and I thought I asked about it here, but my google-fu is weak today),
that we had a similar problem with kadmind refusing to start due to a
lack of entropy.  Our KDCs do nothing else, so at boot time there was
virtually no accumulated entropy and with kadmin refusing to start
without "enough", nothing else ran to generate any.  Catch-22.
I ended up putting a silly little loop in our rc script:

kadmind5_precmd() {
        need=2880
        d=ld2a
        b=8192
        while : ; do
                bits=`/sbin/rndctl -s | awk '$3 == "currently" {print $1}'`
                echo "Have $bits of entropy"
                [ $bits -ge $need ] && break
                echo "Not enough entropy for kadmin5, trying to make some"
                x=`date +%M%S`
                dd if=/dev/r$d of=/dev/null bs=$b skip=$x count=$x 2>/dev/null
        done
        echo "Entropy should be sufficient to start kadmind5"
}


Putting something like this in the testing sripts seems like it might
be an alternative to a possibly-ill-advised option (of any name).



John