[597] in Kerberos
Re: storing and destroying old tickets
daemon@TELECOM.MIT.EDU (Dan Kolkowitz)
Thu Jan 12 14:21:15 1989
From: kolk@SMILEY.STANFORD.EDU (Dan Kolkowitz)
To: kerberos@ATHENA.MIT.EDU
I've always been bothered by the storage of tickets in /tmp; it's the
sort of data I hate to see lying around a file system. Until now,
though, I didn't have a better idea.
This is a problem that we've worried about at Stanford because of the need to support
kerberos on diskless systems. In a diskless environment the writing of the session
keys causes a write across the net to the file server that is
supporting the client. In other words the keys are exposed to snooping. As opposed
to a device interface we've taken advantage of the "shared memory" support in the
newer Berkeley based releases--namely SunOS and Ultrix (these are the two other OS's that
we're worrying about). In the places that the keys get utilized we map shared memory
segments that belong strictly to the user. The keys get written
and read from these segments. The protection on access of the keys
is exactly the same as the protection for the tmp file. We have this implemented for
SunOS and will start Ultrix shortly. The sad part of the story is that currently there
is no way to lock down a shared memory segment in SunOS 4.0. According to Sun this will
be possible in 4.1. But, since no ascii text strings are stored in shared memory (they
are left in the /tmp file) it seems much less succeptible to snooping. If anyone is
interested in the details we'll gladly share them.
Dan
