storing tickets in memory
adam at dberg.org
Thu Jun 10 09:11:47 EDT 2004
ok thanks for the info. I did some reading and was basically thinking
of implementing kerberos here on our unix systems but read about some
security concerns about ticket credentials being stored in /tmp.
Meaning anyone with root can become another user and steal his/her
credentials. How do people deal with this security issue?
On Wed, 2004-06-09 at 23:08, Ken Raeburn wrote:
> On Jun 9, 2004, at 10:48, Adam Denenberg wrote:
> > i am not on the list so please CC me in reply to the message. I am
> > doing some kerberos research and I am trying to see if there is a way
> > to
> > store the ticket credentials cache in memory instead of a file in /tmp
> > (for security reasons). Is this a configurable option and if so how?
> I assume storing them in a ramdisk file (mounted on /tmp or elsewhere)
> is not quite what you mean...
> We have a memory ccache type which stores credentials in heap storage,
> but that's useless if you need to access them from multiple processes.
> At the moment, no, there's no other option, on UNIX. On Mac OS X and
> Windows, we've got the capability of using interprocess communication
> to contact a process which holds the credentials in memory. In the
> Kerberos 4 code I think there are still bits of code for supporting the
> use of shared-memory segments for credentials, but I have no idea if it
> still works (we probably don't care much if it doesn't), and AFAIK no
> one has done anything similar to krb5.
More information about the Kerberos