Solaris ssh pam_krb

Nicolas Williams Nicolas.Williams at
Fri Mar 31 16:27:31 EST 2006

On Fri, Mar 31, 2006 at 03:56:08PM -0500, Ken Hornstein wrote:
> >Do you prefer a kernel-land implementation?
> Well .... given my druthers, I'd prefer that the BLOBS (e.g., what is
> likely going to be Kerberos tickets/keys) be in the kernel.  I guess I
> don't care if there's a userspace daemon that does management of those
> blobs; I'd just rather not have the blobs in userspace.  But I'd even
> be satisfied with what you describe, as long as the inheritance model
> was the same as PAGs today.

Why store tickets in the kernel, what's the point?  Presumably you'd not
want anything other than TGTs in the kernel, so where do you cache
service tickets?  Or do you want all tickets in the kernel?  (Presumably
in pageable, accounted memory...).

I think it's much better to move the complexity out of the kernel, and
the only keys that should be anywhere in kernel space are those that
will be used by kernel-land components (e.g., session keys).


More information about the Kerberos mailing list