Bernd Schubert <[EMAIL PROTECTED]> writes:
>> I don't have time just at the moment to check whether this change is
>> easy to make or to work on a patch. If you have a moment to do that,
>> it would be greatly appreciated. Otherwise, I'll try to take a look at
>> this as soon as I have some more free time.
> the attached patch is rather simple as it will only move the fork()
> lines. I don't think it might have any negative impacts and its also
> tested on my home system for 14 days.
> Moving the random number reading would be much more difficult, as one
> would have to check all those initializations after
> krb5_c_random_os_entropy() in ovsec_kadmind.c.
I finally had a chance to look at this patch. Unfortunately, the problem
with taking this approach and moving the random number generation very
early in kadmind's initialization is that we then lose all error reporting
to stderr for any subsequent errors, including the long message about why
kadmind can't bind to a port, since they go to stderr. It's not a
functional problem, but it's definitely not ideal.
Sam, do you know what parts of kadmind use the random number generator?
Is it sufficient for security to seed the random number generator before
the first client connection is handled, or does it have to be done before
kadm5_init, RPC service creation, fiddling with the kdb keytab, and so
forth? I'm looking at the implications of the following patch, which
builds and passes the test suite.
Index: src/kadmin/server/ovsec_kadmd.c
===================================================================
--- src/kadmin/server/ovsec_kadmd.c (revision 18323)
+++ src/kadmin/server/ovsec_kadmd.c (working copy)
@@ -301,15 +301,6 @@
krb5_klog_init(context, "admin_server", whoami, 1);
- krb5_klog_syslog(LOG_INFO, "Seeding random number generator");
- ret = krb5_c_random_os_entropy(context, 1, NULL);
- if(ret) {
- krb5_klog_syslog(LOG_ERR,
- "Error getting random seed: %s, aborting",
- krb5_get_error_message (context, ret));
- exit(1);
- }
-
if((ret = kadm5_init("kadmind", NULL,
NULL, ¶ms,
KADM5_STRUCT_VERSION,
@@ -639,6 +630,17 @@
exit(1);
}
+ krb5_klog_syslog(LOG_INFO, "Seeding random number generator");
+ ret = krb5_c_random_os_entropy(context, 1, NULL);
+ if (ret) {
+ krb5_klog_syslog(LOG_ERR, "Error getting random seed: %s, aborting",
+ krb5_get_error_message(context, ret));
+ svcauth_gssapi_unset_names();
+ kadm5_destroy(global_server_handle);
+ krb5_klog_close(context);
+ exit(1);
+ }
+
setup_signal_handlers();
krb5_klog_syslog(LOG_INFO, "starting");
kadm_svc_run(¶ms);
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
