file-based credentials vs memory-based credentials
Guillaume Rousse
Guillaume.Rousse at inria.fr
Wed Jan 20 07:35:21 EST 2010
Hello.
I sometimes hears than kerberos 5 security is lowered by the use of file
based credentials, whereas kerberos 4 was using shared memory instead,
making much more difficult to an admin (for instance) to retrieve a
valid user ticket.
I know an admin user can scan the memory for a user ticket, but a quick
google search on the issue didn't returned any such tool ready for user.
And unless some string pattern make easy to grep /proc/kcore for
extracting those ticket, is this assertion reserved to admins able to
craft a dedicated memory scanning tool ?
Also, I've read than kerberos 5 specification doesn't enforce one or the
other kind of storage, that's just MIT and heimdal implementation
choices. Are they any way, for both of them, to use memory-based
credential cache instead ?
--
BOFH excuse #91:
Mouse chewed through power cable
More information about the Kerberos
mailing list