Benjamin Kaduk <ka...@mit.edu> writes: > On Sun, May 06, 2018 at 08:43:13PM +0100, Ben Hutchings wrote: >> On Sun, 2018-05-06 at 14:02 -0500, Benjamin Kaduk wrote:
>>> Arguably more preferable would be to have a systemd target that >>> indicates the RNG is seeded, and then krb5 could have its KDC service >>> depend on this "RNG-available" service. So far as I know, no such >>> service currently exists, so again, there would need to be some >>> sytsemd effort (potentially in cooperation with the kernel) to provide >>> such a service. >> Yes, that certainly seems like a good approach. > Do you know who would be the right person to talk to about getting > that work done? This seems trivial enough that the krb5-kdc package could just ship this service for now and gauge interest. I think all you'd need is a program that called getrandom() and then exited when it returned, run via systemd as a Type=oneshot service that krb5-kdc depends on and with a reasonable timeout. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
