Solaris ssh pam_krb

Ken Hornstein kenh at cmf.nrl.navy.mil
Fri Mar 31 18:29:57 EST 2006


>> I agree that you can design a user-land scheme that's a lot better than
>> a simple file, but there are enough tools available for grovelling through
>> a user-level daemon's memory that I would prefer to have something better.
>> Again, it's not 100%, but it's all a matter of degree.
>
>One tool name: DTrace.
>
>Ok, two: kmdb.
>
>Well, let's make it three and stop there: Xen.
>
>Sorry, I don't buy this line of argument.

I guess I don't follow you (and isn't Xen a virtual machine?  How does
that apply?).  I did say "matter of degree".  Sure, you can look through
the whole kernel, and tools exist to do that today; but it's a harder
task than looking through one process.  (I don't seem to have kmdb or
Dtrace on any Solaris systems here; I don't know if they cost extra,
but if an attacker would need those tools, they'd be out of luck here,
assuming they didn't get a license from someone else).

Anyway, I guess we're not going to agree on this one.

--Ken



More information about the Kerberos mailing list