storing tickets in memory

Adam Denenberg adam at dberg.org
Thu Jun 10 09:11:47 EDT 2004


ok thanks for the info.  I did some reading and was basically thinking
of implementing kerberos here on our unix systems but read about some
security concerns about ticket credentials being stored in /tmp. 
Meaning anyone with root can become another user and steal his/her
credentials.  How do people deal with this security issue?

thanks again
adam

On Wed, 2004-06-09 at 23:08, Ken Raeburn wrote:
> On Jun 9, 2004, at 10:48, Adam Denenberg wrote:
> >  i am not on the list so please CC me in reply to the message.  I am
> > doing some kerberos research and I am trying to see if there is a way 
> > to
> > store the ticket credentials cache in memory instead of a file in /tmp
> > (for security reasons).  Is this a configurable option and if so how?
> 
> I assume storing them in a ramdisk file (mounted on /tmp or elsewhere) 
> is not quite what you mean...
> 
> We have a memory ccache type which stores credentials in heap storage, 
> but that's useless if you need to access them from multiple processes.
> 
> At the moment, no, there's no other option, on UNIX.  On Mac OS X and 
> Windows, we've got the capability of using interprocess communication 
> to contact a process which holds the credentials in memory.  In the 
> Kerberos 4 code I think there are still bits of code for supporting the 
> use of shared-memory segments for credentials, but I have no idea if it 
> still works (we probably don't care much if it doesn't), and AFAIK no 
> one has done anything similar to krb5.
> 
> Ken
> 



More information about the Kerberos mailing list