Solaris ssh pam_krb

Ken Hornstein kenh at
Fri Mar 31 16:39:57 EST 2006

>Why store tickets in the kernel, what's the point?  Presumably you'd not
>want anything other than TGTs in the kernel, so where do you cache
>service tickets?  Or do you want all tickets in the kernel?  (Presumably
>in pageable, accounted memory...).

Well, actually, I'd rather have the whole ticket cache in the kernel.
I have personally seen attacks on the current file cache; right now we
don't use a file cache, but the scheme we do use has some issues.  One
thing we were planning on doing was use the Linux kernel keyrings
if/when they become suitable ... but of course those would only work
under Linux.  I know that putting the ticket cache in the kernel isn't
100% protection, but I think it's the best we can probably do on a
multi-user Unix system.  The caches I see are tiny, so I'm not too
worried about size.  Make it one of those adjustable kernel parameters.


More information about the Kerberos mailing list