file-based credentials vs memory-based credentials

Ken Raeburn raeburn at mit.edu
Wed Jan 20 08:56:07 EST 2010 

On Jan 20, 2010, at 07:35, Guillaume Rousse wrote:
> I sometimes hears than kerberos 5 security is lowered by the use of  
> file
> based credentials, whereas kerberos 4 was using shared memory instead,
> making much more difficult to an admin (for instance) to retrieve a
> valid user ticket.

Depending how your security model works, yes, though once a tool is  
made to do a job, the admin (or attacker, or virus writer) doesn't  
have to be particularly skilled to use it.

> I know an admin user can scan the memory for a user ticket, but a  
> quick
> google search on the issue didn't returned any such tool ready for  
> user.
> And unless some string pattern make easy to grep /proc/kcore for
> extracting those ticket, is this assertion reserved to admins able to
> craft a dedicated memory scanning tool ?

The legitimate user has to get at it somehow.  Depending on what  
access the attacker has to start with, they may be able to follow the  
same technique to get at it.  For example, use the system debugger  
interfaces to attach one of the user's processes that has the Kerberos  
code loaded, force it to make certain calls, read the result out of  
process memory, and then let it go back to whatever the user really  
wanted it to do; total delay for the user, probably a fraction of a  
second.  Or, look at a file in /tmp that holds a text representation  
of a handle on a shared memory segment accessible only by the user or  
by root, if the attacker has root privs.

> Also, I've read than kerberos 5 specification doesn't enforce one or  
> the
> other kind of storage, that's just MIT and heimdal implementation
> choices. Are they any way, for both of them, to use memory-based
> credential cache instead ?

Yes, files were the easy implementation, especially considering the  
implementation goes back a couple of decades to when some common  
functionality now wasn't available, or at least not widely so.  MIT  
does have credential caches for Mac and Windows that are not file- 
based, but the code is fairly system-specific and hasn't been ported  
to general UNIX platforms yet.  On Linux, the MIT libraries can use  
the "keyring" support in modern kernels.

-- 
Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium

More information about the Kerberos mailing list