Solaris ssh pam_krb
Douglas E. Engert
deengert at anl.gov
Fri Mar 31 16:44:57 EST 2006
Ken Hornstein wrote:
>>Why store tickets in the kernel, what's the point? Presumably you'd not
>>want anything other than TGTs in the kernel, so where do you cache
>>service tickets? Or do you want all tickets in the kernel? (Presumably
>>in pageable, accounted memory...).
>
>
> Well, actually, I'd rather have the whole ticket cache in the kernel.
> I have personally seen attacks on the current file cache; right now we
> don't use a file cache, but the scheme we do use has some issues. One
> thing we were planning on doing was use the Linux kernel keyrings
> if/when they become suitable ... but of course those would only work
> under Linux. I know that putting the ticket cache in the kernel isn't
> 100% protection, but I think it's the best we can probably do on a
> multi-user Unix system. The caches I see are tiny,
Unless the the KDC is Windows, and the tickets have PACs. A tgt is 2000
bytes, but could go as high as 14k.
> so I'm not too
> worried about size. Make it one of those adjustable kernel parameters.
>
> --Ken
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list