[31954] in Kerberos
file-based credentials vs memory-based credentials
daemon@ATHENA.MIT.EDU (Guillaume Rousse)
Wed Jan 20 07:37:42 2010
Message-ID: <4B56F889.4090800@inria.fr>
Date: Wed, 20 Jan 2010 13:35:21 +0100
From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
MIME-Version: 1.0
To: Kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello.
I sometimes hears than kerberos 5 security is lowered by the use of file
based credentials, whereas kerberos 4 was using shared memory instead,
making much more difficult to an admin (for instance) to retrieve a
valid user ticket.
I know an admin user can scan the memory for a user ticket, but a quick
google search on the issue didn't returned any such tool ready for user.
And unless some string pattern make easy to grep /proc/kcore for
extracting those ticket, is this assertion reserved to admins able to
craft a dedicated memory scanning tool ?
Also, I've read than kerberos 5 specification doesn't enforce one or the
other kind of storage, that's just MIT and heimdal implementation
choices. Are they any way, for both of them, to use memory-based
credential cache instead ?
--
BOFH excuse #91:
Mouse chewed through power cable
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
