Question related to keytab entries upgrade
Nico Williams
nico at cryptonector.com
Wed Jan 16 18:46:01 EST 2013
On Wed, Jan 16, 2013 at 5:37 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 01/16/2013 05:52 PM, Nico Williams wrote:
>> On Wed, Jan 16, 2013 at 4:30 PM, Matthieu Hautreux
>> <matthieu.hautreux at gmail.com> wrote:
>>> Thanks for the explanation. I think that Nico said that having the KDC
>>> generating the keys enables to ensure that the keys conform to [...]
>
>> Did I say that? But you know, this is really a bit of cargo cult.
>> Kerberos depends on having good RNGs (and good local security) on all
>> nodes, so clients should be able to generate long-term keys.
>
> I said it. I wasn't talking about RNG quality. With the setkey RPC,
> the KDC doesn't know whether the client chose the key randomly at all;
> it could be the string2key output of a password which wouldn't pass the
> password policy.
Ah, yes, there's that.
More information about the krbdev
mailing list