porting CCAPI to UNIX
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed May 9 15:44:14 EDT 2007
>Unless someone's going to implement cross-session ptrace restrictions
>and the like, there's little point in trying to do enforced
>isolation.
I understand that line of reasoning ... but exactly how far do you want
to take that logic?
What attack vectors are you trying to protect against? Same userid?
Root? Are you concerned about loadable kernel modules? If you worry
about ALL of that stuff, you will come to the conclusion that on a
multiuser Unix system you are basically screwed and you might as well
just broadcast your Kerberos password to your local cracker IRC channel.
I don't think anyone advocates that, but my point is that at least when
it comes to untrusted host security there are a whole bunch of shades
of grey when it comes to protecting credentials.
Here's something to think about: this wacky credential cache, when it
was implemented, resulted in an unquestionable and measurable improvement
in security. Can it be broken? Hell yes. But it is harder to do so,
and there is no question in my mind that the increase in difficulty has
value.
--Ken
More information about the krbdev
mailing list