Solaris ssh pam_krb

Douglas E. Engert deengert at
Fri Mar 31 16:44:57 EST 2006

Ken Hornstein wrote:

>>Why store tickets in the kernel, what's the point?  Presumably you'd not
>>want anything other than TGTs in the kernel, so where do you cache
>>service tickets?  Or do you want all tickets in the kernel?  (Presumably
>>in pageable, accounted memory...).
> Well, actually, I'd rather have the whole ticket cache in the kernel.
> I have personally seen attacks on the current file cache; right now we
> don't use a file cache, but the scheme we do use has some issues.  One
> thing we were planning on doing was use the Linux kernel keyrings
> if/when they become suitable ... but of course those would only work
> under Linux.  I know that putting the ticket cache in the kernel isn't
> 100% protection, but I think it's the best we can probably do on a
> multi-user Unix system.  The caches I see are tiny,

Unless the the KDC is Windows, and the tickets have PACs.  A tgt is 2000
bytes, but could go as high as 14k.

> so I'm not too
> worried about size.  Make it one of those adjustable kernel parameters.
> --Ken
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list