> Heimdal's krb5_init_context() intentionally initializes the random > number generator, so that subsequent uses don't have to worry about > error checking.
The more I think about it, the more wrong I think this is. We are talking about a library call used by "klist" here. Klist should work without even any random number source available. Unfortunately klist needs to read krb5.conf (and other possible config locations) just to figure out where to find the credential cache, otherwise not even that would be needed to do its work. But still krb5_init_context does more than documented. Man page says "initialize structure" and "read conf file", nothing more and I can not see why kinit would need more or why any program would rely on the additonal actions like quote "krb5_init_context() will get one random byte to make sure our random is alive." (see comment in source) when it's not documented at all. So I'd say krb5_init_context should stick to what it is documented to do and if apps need randomness to work they should call krb5_generate_random which is the function for it. Otherwise we can add "do we have network connectivity" into krb5_init_context just because we may need that as well in the program later (ok, that's a biut exaggerated, but you get the point ;-) ;-) Harald.