Solaris ssh pam_krb
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Mar 31 16:39:57 EST 2006
>Why store tickets in the kernel, what's the point? Presumably you'd not
>want anything other than TGTs in the kernel, so where do you cache
>service tickets? Or do you want all tickets in the kernel? (Presumably
>in pageable, accounted memory...).
Well, actually, I'd rather have the whole ticket cache in the kernel.
I have personally seen attacks on the current file cache; right now we
don't use a file cache, but the scheme we do use has some issues. One
thing we were planning on doing was use the Linux kernel keyrings
if/when they become suitable ... but of course those would only work
under Linux. I know that putting the ticket cache in the kernel isn't
100% protection, but I think it's the best we can probably do on a
multi-user Unix system. The caches I see are tiny, so I'm not too
worried about size. Make it one of those adjustable kernel parameters.
--Ken
More information about the Kerberos
mailing list