/dev/random vs. /dev/urandom and the krb5 test suite

Tom Yu tlyu at MIT.EDU
Mon Jun 22 17:03:19 EDT 2009

John Hascall <john at iastate.edu> writes:

>> The krb5 test suite generates a lot of random keying material.  Under
>> the assumption that cryptographic keys require "strong" randomness,
>> most of that material comes from /dev/random.  This can create stalls
>> in some environments; for instance, my Linux box spends a few extra
>> minutes per testing run if I don't use a local hack to make lib/crypto
>> use /dev/urandom instead.
> I have not noticed it in this regard, but I did notice some time ago,
> (and I thought I asked about it here, but my google-fu is weak today),
> that we had a similar problem with kadmind refusing to start due to a
> lack of entropy.  Our KDCs do nothing else, so at boot time there was
> virtually no accumulated entropy and with kadmin refusing to start
> without "enough", nothing else ran to generate any.  Catch-22.
> I ended up putting a silly little loop in our rc script:
> kadmind5_precmd() {
>         need=2880
>         d=ld2a
>         b=8192
>         while : ; do
>                 bits=`/sbin/rndctl -s | awk '$3 == "currently" {print $1}'`
>                 echo "Have $bits of entropy"
>                 [ $bits -ge $need ] && break
>                 echo "Not enough entropy for kadmin5, trying to make some"
>                 x=`date +%M%S`
>                 dd if=/dev/r$d of=/dev/null bs=$b skip=$x count=$x 2>/dev/null
>         done
>         echo "Entropy should be sufficient to start kadmind5"
> }
> Putting something like this in the testing sripts seems like it might
> be an alternative to a possibly-ill-advised option (of any name).

This has the disadvantage of requiring tuning for specific operating
systems, so I would discourage using it for testing scripts that must
run on multiple operating systems.

More information about the krbdev mailing list