klist -t opening $HOME/.rnd

Harald Barth haba at kth.se
Fri Mar 16 09:24:13 CET 2018

> Heimdal's krb5_init_context() intentionally initializes the random
> number generator, so that subsequent uses don't have to worry about
> error checking.

The more I think about it, the more wrong I think this is. We are
talking about a library call used by "klist" here. Klist should work
without even any random number source available. Unfortunately klist
needs to read krb5.conf (and other possible config locations) just to
figure out where to find the credential cache, otherwise not even that
would be needed to do its work.

But still krb5_init_context does more than documented. Man page says
"initialize structure" and "read conf file", nothing more and I can
not see why kinit would need more or why any program would rely on the
additonal actions like quote "krb5_init_context() will get one random
byte to make sure our random is alive." (see comment in source) when
it's not documented at all. So I'd say krb5_init_context should stick
to what it is documented to do and if apps need randomness to work
they should call krb5_generate_random which is the function for it.

Otherwise we can add "do we have network connectivity" into
krb5_init_context just because we may need that as well in the program
later (ok, that's a biut exaggerated, but you get the point ;-) ;-)


More information about the Heimdal-discuss mailing list