Question related to keytab entries upgrade

Nico Williams nico at
Wed Jan 16 18:46:01 EST 2013

On Wed, Jan 16, 2013 at 5:37 PM, Greg Hudson <ghudson at> wrote:
> On 01/16/2013 05:52 PM, Nico Williams wrote:
>> On Wed, Jan 16, 2013 at 4:30 PM, Matthieu Hautreux
>> <matthieu.hautreux at> wrote:
>>> Thanks for the explanation. I think that Nico said that having the KDC
>>> generating the keys enables to ensure that the keys conform to [...]
>> Did I say that?  But you know, this is really a bit of cargo cult.
>> Kerberos depends on having good RNGs (and good local security) on all
>> nodes, so clients should be able to generate long-term keys.
> I said it.  I wasn't talking about RNG quality.  With the setkey RPC,
> the KDC doesn't know whether the client chose the key randomly at all;
> it could be the string2key output of a password which wouldn't pass the
> password policy.

Ah, yes, there's that.

More information about the krbdev mailing list