On Tuesday, April 13, 2004 03:00:40 +0200 Jerome Walter <[EMAIL PROTECTED]> wrote:
By the way, a common constant on the programs is that most want access do urandom devices, but do not require it really. I guess, that to create tickets, kdc do need access to the device, otherwise the work could be altered.
The session keys used to protect communications between clients and servers in Kerberos-authentication applications are generated by the KDC. In fact, the acronym KDC stands for "Key Distribution Center", and these session keys are the keys being distributed. The KDC generates a new session key every time it issues a ticket, and in order to generate good keys, it must have access to a decent source of entropy.
In addition, all parties involved in the Kerberos protocol -- clients, application servers, and the KDC -- require a source of random data with which to generate random confounders. In some cases there are additional random strings required, depending on the application protocol.
Finally, one of the services offered by the admin server is the ability to set a principal's long-term key(s) randomly. This is often used when keying services, for which a strong key is desirable. Of course, this capability also requires access to a good source of entropy.
Note that in general, Kerberos tools and libraries which expect to be able to access /dev/urandom probably won't just "work differently" without it; they may refuse to operate at all, generating errors instead.
It is worth noting that /dev/urandom is not a source of random data. It is the output of a cryptographically-strong (we hope) pseudo-random number generator, which in turn is _seeded_ by random data. As such, /dev/urandom is not a limited resource; it can churn out pseudo-random bytes at more or less any desired rate. So there is not generally any reason to prevent access by any process that desires it.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
