Kerberos in production on virtual machines

Yorick de Wid asked:

At the moment I am investigating the possibility to use Kerberos as the primary authentication protocol for our cloud structure. We’ll probably follow through with this idea and for the sake of HA the best option would be multiple virtual machines. I know there are some problems with virtual environments and Kerberos, especially on the topics of randomness and entropy.
It is been my understanding that Kerberos needs direct hardware access, but I’m not sure if that still is the case.

On any of the test environments MIT Kerberos runs without any complications on virtual hardware. Question is, is this a recommended setup for a production environment?

My answer:

Kerberos works fine in virtual machines, and has done since virtual machines became a thing. I have no idea why anyone would suggest that might not be the case.

The only potential complication you might have is the need to keep the virtual machine clocks in sync, though very recent versions of Kerberos (i.e. so new that only bleeding edge Linux distributions have shipped it yet) have eliminated the clock synchronization requirement.

As for random numbers, it’s been my experience that Kerberos doesn’t really need that much cryptographically strong random data. Not enough to empty the entropy pool and start blocking things. And even if it did, you have solutions like KVM’s paravirtualized RNG available.

Here’s the entropy pool for the last day for a virtualized KDC:

Entropy pool availability

No real significant issue with running out of entropy here.

Your own KDC might need a lot of it, though. Put it under some load and see what happens.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.