On Sun, May 06, 2018 at 07:05:56PM -0700, Russ Allbery wrote: > Benjamin Kaduk <ka...@mit.edu> writes: > > On Sun, May 06, 2018 at 08:43:13PM +0100, Ben Hutchings wrote: > >> On Sun, 2018-05-06 at 14:02 -0500, Benjamin Kaduk wrote: > > >>> Arguably more preferable would be to have a systemd target that > >>> indicates the RNG is seeded, and then krb5 could have its KDC service > >>> depend on this "RNG-available" service. So far as I know, no such > >>> service currently exists, so again, there would need to be some > >>> sytsemd effort (potentially in cooperation with the kernel) to provide > >>> such a service. > > >> Yes, that certainly seems like a good approach. > > > Do you know who would be the right person to talk to about getting > > that work done? > > This seems trivial enough that the krb5-kdc package could just ship this > service for now and gauge interest. I think all you'd need is a program > that called getrandom() and then exited when it returned, run via systemd > as a Type=oneshot service that krb5-kdc depends on and with a reasonable > timeout.
I think that's what it would look like, yes. It's less clear that putting it in krb5-kdc would actually do anything to gauge demand, but I suppose I could be wrong. -Ben
