[23] in pc-kerberos
Re: Kerberos on PC/TCP
daemon@ATHENA.MIT.EDU (Geoff Arnold @ Sun BOS - R.H. coas)
Fri Jun 3 14:27:07 1994
Date: Fri, 3 Jun 1994 14:16:52 -0400
From: Geoff.Arnold@East.Sun.COM (Geoff Arnold @ Sun BOS - R.H. coast near the top)
To: pc-kerberos@MIT.EDU, pbh@MIT.EDU
>> I've been thinking of moving away from the KERBMEM model so that we can
>> support OS/2 and NT easier. It seems like most of the security of KERBMEM
>> can be achieved by using a small RAM disk and a standard ticket file. Some
>> vendors/users may prefer to bypass the use of a RAM disk and just use a
>> standard disk.
>>
>> By putting the ticket file in a hidden directory but in a normal file
>> within the hidden directory you get a small measure of additional security.
>> The file will not be found using most FileFind type utilities. Nothing
>> unusual will be reported by chkdsk since it reports hidden files but not
>> hidden directories.
>>
>> KERBMEM remains slightly more secure than a ticket file for operating
>> systems (I use the term loosely) which do not support file access or
>> directory access control.
However, the correct approach is surely to remove all knowledge
of the actual ticket storage mechanism from apps, and route
everything through WINKERB.DLL. For example, our current inclination
is to store everything in a secured registry-style VxD.
Geoff
Geoff Arnold, PC-NFS architect, SunSoft (geoff.arnold@East.Sun.COM)
## Life--What chemicals do with time on their hands ##
## (Mike Wilson on talk.origins) ##
