KEYRING:persistent and ssh
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Sep 28 11:43:21 EDT 2016
>Storing: Simply on a ram filesystem and use ACLS to tackle it down to
>the list of users who need it. This is pretty much what KEYRING does,
>with a custom nonstandard api.
FWIW, we are going to KEYRING everywhere; the semantics for what you
want in terms of a credential cache store are almost perfect. What you
DON'T want to do is store credentials on a filesystem (be it in RAM or
on spinning disk); been there, done that. As for the leaking of information
across chroot/Docker containers ... I'm trying to imagine how that would
be an actual security problem in practice. I could be proven wrong, of
course, but I'd like to see some more concrete risks here.
--Ken
More information about the Kerberos
mailing list