Question related to keytab entries upgrade
Greg Hudson
ghudson at MIT.EDU
Wed Jan 16 18:37:27 EST 2013
On 01/16/2013 05:52 PM, Nico Williams wrote:
> On Wed, Jan 16, 2013 at 4:30 PM, Matthieu Hautreux
> <matthieu.hautreux at gmail.com> wrote:
>> Thanks for the explanation. I think that Nico said that having the KDC
>> generating the keys enables to ensure that the keys conform to [...]
> Did I say that? But you know, this is really a bit of cargo cult.
> Kerberos depends on having good RNGs (and good local security) on all
> nodes, so clients should be able to generate long-term keys.
I said it. I wasn't talking about RNG quality. With the setkey RPC,
the KDC doesn't know whether the client chose the key randomly at all;
it could be the string2key output of a password which wouldn't pass the
password policy.
More information about the krbdev
mailing list