Question related to keytab entries upgrade

Greg Hudson ghudson at MIT.EDU
Wed Jan 16 18:37:27 EST 2013

On 01/16/2013 05:52 PM, Nico Williams wrote:
> On Wed, Jan 16, 2013 at 4:30 PM, Matthieu Hautreux
> <matthieu.hautreux at> wrote:
>> Thanks for the explanation. I think that Nico said that having the KDC
>> generating the keys enables to ensure that the keys conform to [...]

> Did I say that?  But you know, this is really a bit of cargo cult.
> Kerberos depends on having good RNGs (and good local security) on all
> nodes, so clients should be able to generate long-term keys.

I said it.  I wasn't talking about RNG quality.  With the setkey RPC,
the KDC doesn't know whether the client chose the key randomly at all;
it could be the string2key output of a password which wouldn't pass the
password policy.

More information about the krbdev mailing list