[37718] in Kerberos
Re: KEYRING:persistent and ssh
daemon@ATHENA.MIT.EDU (Simo Sorce)
Wed Sep 28 17:01:07 2016
Message-ID: <1475096430.3612.93.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Cedric Blancher <cedric.blancher@gmail.com>
Date: Wed, 28 Sep 2016 17:00:30 -0400
In-Reply-To: <CALXu0UcVWgm0JSZcd23vHde81WVyAak54ytbu5-TVNbEDY7tTA@mail.gmail.com>
Mime-Version: 1.0
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 2016-09-28 at 22:17 +0200, Cedric Blancher wrote:
> On 28 September 2016 at 19:01, Simo Sorce <simo@redhat.com> wrote:
> > On Wed, 2016-09-28 at 11:43 -0400, Ken Hornstein wrote:
> >> >Storing: Simply on a ram filesystem and use ACLS to tackle it down to
> >> >the list of users who need it. This is pretty much what KEYRING does,
> >> >with a custom nonstandard api.
> >>
> >> FWIW, we are going to KEYRING everywhere; the semantics for what you
> >> want in terms of a credential cache store are almost perfect. What you
> >> DON'T want to do is store credentials on a filesystem (be it in RAM or
> >> on spinning disk); been there, done that. As for the leaking of information
> >> across chroot/Docker containers ... I'm trying to imagine how that would
> >> be an actual security problem in practice. I could be proven wrong, of
> >> course, but I'd like to see some more concrete risks here.
> >
> > It becomes a potential security issue if you run containers as root, but
> > nobody is doing that in production, right ? Because if you do, the
> > keyring issue is not the major problem here.
> >
> > Besides there are various part of the kernel that depends on the keyring
> > now, disabling it is going to cause hard to diagnose issues or limit the
> > features you can use.
>
> That's hard to believe now that AWS and Google clouds have keyring
> support patched out of their kernels (SEL at least), too. Syscalls are
> still there but they all return not supported.
They probably do not need it in their main use cases. But in the VMs you
can run your own kernel so you can use what you like.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
