Question related to keytab entries upgrade

Tom Yu tlyu at MIT.EDU
Wed Jan 16 18:13:00 EST 2013

Nico Williams <nico at> writes:

> On Wed, Jan 16, 2013 at 4:30 PM, Matthieu Hautreux
> <matthieu.hautreux at> wrote:
>> Thanks for the explanation. I think that Nico said that having the KDC
>> generating the keys enables to ensure that the keys conform to the security
>> constraints of the KDC, which explains the reason why setkey privilege must
>> be added to principal willing to do that. So process 1 and 2 are similar but
>> only process 2 does not require to have that privilege I guess.
> Did I say that?  But you know, this is really a bit of cargo cult.
> Kerberos depends on having good RNGs (and good local security) on all
> nodes, so clients should be able to generate long-term keys.

I'd rather have a poorer quality RNG for a short-term key than for a
long-term key.  There are some cryptographic algorithms where
insufficient randomness in a short-term secret value can compromise
the long-term secret (e.g., DSA), but we don't use those so much.

More information about the krbdev mailing list