[595] in Kerberos
storing and destroying old tickets
daemon@TELECOM.MIT.EDU (smb@RESEARCH.ATT.COM)
Thu Jan 12 13:13:45 1989
From: smb@RESEARCH.ATT.COM
To: kerberos@ATHENA.MIT.EDU
I've always been bothered by the storage of tickets in /tmp; it's the
sort of data I hate to see lying around a file system. Until now,
though, I didn't have a better idea.
At the June '88 Usenix, I presented a paper called "The ``Session Tty''
Manager". I can send copies to anyone who can't get hold of the
proceedings. The basic idea is that users do not directly log in to a
physical terminal (or even a pty); instead, they log in to a session
device that is spliced to the physical device when carrier is
detected. If the user logs off, or if carrier drops, the connection is
severed; any remaining user processes are still attached to the session
device rather than the physical device.
The key point, so to speak, is that the session device provides a
convenient rock to hide the keys under. There could be special ioctls
that operate only on /dev/tty to store and retrieve tickets. Since
/dev/tty is private to the session, including all child processes, no
one else would have access. Given the details of the design, it's
impossible for the session device to be reallocated while anyone has it
open; it's also impossible for a process to shed its session identity.
We thus have a piece of the kernel that is uniquely tied to a
particular login session.
Comments? (This is obviously a longer-term project, since one would
have to implement my session stuff for SunOS and 4.3bsd. But with
streams in SunOS 4.0, and coming, I understand, in 4.4bsd, it won't be
that hard in the near future.)
--Steve Bellovin
