klist -t opening $HOME/.rnd

Greg Hudson ghudson at mit.edu
Thu Mar 15 16:36:01 CET 2018

On 03/15/2018 05:38 AM, Harald Barth wrote:> But why do I need to
initialize a random number function just to
> determine if the ticket in the file ticket cache is valid?
> Seems like waste of resources to me.

Heimdal's krb5_init_context() intentionally initializes the random
number generator, so that subsequent uses don't have to worry about
error checking.

I think that side of the design is fine, but a library PRNG probably
doesn't need to interact with a seed file in this day and age.  That
decision is under Heimdal's control, not OpenSSL's; removing the code
ifdef'd NO_RANDFILE in lib/krb5/crypto-rand.c would suffice.

(MIT krb5 could also stand to simplify its PRNG, although it doesn't
have this particular problem.)

More information about the Heimdal-discuss mailing list