[2075] in Kerberos
Re: Version 5 Question
daemon@ATHENA.MIT.EDU (Joe Pato)
Tue Aug 4 11:19:05 1992
From: pato@APOLLO.HP.COM (Joe Pato)
Date: Tue, 4 Aug 92 10:50:15 EDT
To: jec@osf.org (Jonathan Chinitz)
Cc: dinah@rockytop.tivoli.com (Dinah McNutt {sysadminzon}),
In-Reply-To: jec@osf.org (Jonathan Chinitz), tue, 4 aug 92 08:07:32
If you are interested in an implementation of V5 that does not store
credentials in /tmp - take a look at OSF/DCE v1.0.1.
-Jonathan
Don't get your hopes raised too high by this message. It is true that the DCE
1.0.1 code no longer stores the credential cache in /tmp - but it is still file
resident (we just changed the default location of where to store the files).
We made this change for a number of reasons: 1) many systems have cron scripts
that clear /tmp at inopportune times. 2) We needed to be sure that the
credential cache directory had the "sticky" bit to prevent some subtle mutual
authentication attacks on the system.
It would be nice to see other implementation of the credential cache
(in particular a kernel resident cache) but this is neither available from the
OSF nor from the stock MIT implementation. I suspect that some vendors may
well choose to add this to their DCE products.
-- Joe Pato
DCE Security Component Architect
Distributed Object Computing Program / East
Hewlett-Packard Company
pato@apollo.hp.com
-------
