krb5 ticket cache

krb5 ticket cache

Post by Klaas Hagema » Fri, 07 Feb 2003 02:09:24



Hi,

after doing kinit the kerberos client creates a krb5 ticket cache file
like /tmp/krb5cc_506.

Another user having root privileges on this client can optain these
ticket cache file and have the network wide rights of the owner of this
ticket.

Is there any chance that the ticket is stored in memory rather than on
the local disk? can i configure it in any way?

Thanks,
Klaas

________________________________________________

https://mailman.mit.edu/mailman/listinfo/kerberos

 
 
 

krb5 ticket cache

Post by Donn Cav » Fri, 07 Feb 2003 02:46:09



...
| after doing kinit the kerberos client creates a krb5 ticket cache file
| like /tmp/krb5cc_506.
|
| Another user having root privileges on this client can optain these
| ticket cache file and have the network wide rights of the owner of this
| ticket.
|
| Is there any chance that the ticket is stored in memory rather than on
| the local disk? can i configure it in any way?

Yes!  Try this:

  $ KRB5CCNAME=MEMORY:0 kinit

Now look for your credentials in /tmp, and they won't be there.  They
won't be anywhere else either, they're just gone, along with the kinit
process that owned that storage, but that would be what you wanted.



 
 
 

krb5 ticket cache

Post by Ken Raebu » Fri, 07 Feb 2003 23:43:44



> Hi,

> after doing kinit the kerberos client creates a krb5 ticket cache file
> like /tmp/krb5cc_506.

> Another user having root privileges on this client can optain these
> ticket cache file and have the network wide rights of the owner of
> this ticket.

> Is there any chance that the ticket is stored in memory rather than on
> the local disk? can i configure it in any way?

That wouldn't stop someone with full root privileges -- it would just
slow them down a little bit, if at all.  (Unless your system is really
crippled such that even root is severely limited in what it can do.)

The root user could "su" to you, and use your local access to get at
the shared memory segment or whereever the credentials are stored.
Usually root has access to such things anyways, just because it's
root.

The root user could attach one of your processes with a de* and
pull out the credentials from the process memory.

The root user could replace the programs you're planning to run with
ones that will grab the credentials and stuff a copy in a file
somewhere.

Et cetera....

That said, there may be some benefit to using shared memory segments
after all.  A user with limited ability to read things as root -- say,
through some bug in a setuid program or daemon such that the user can
supply a filename and get a few bytes back -- might not be able to get
at the shared memory segment.  And someone unplugging and walking off
with the machine might get the file system contents but not the
memory.

There is some old code in the krb4 library for storing some
information in shared memory, but I don't think anyone has used it in
a while, and I've no idea how well it worked, what the effect might've
been of never deleting the shared memory segment (if it's not created
and deleted by 'login' and friends), etc.  And I don't think we have
the support in krb5 at all.

However, there is the CCAPI interface used on Mac and Windows, usually
implemented through some IPC mechanism, which could be used to
communicate with a process that keeps the credentials in its memory,
or manages a shared memory segment.  We aren't supporting that on
general UNIX platforms at the moment, but if you wanted to work on
it....
________________________________________________

https://mailman.mit.edu/mailman/listinfo/kerberos

 
 
 

krb5 ticket cache

Post by Klaas Hagema » Fri, 07 Feb 2003 23:54:49


Ken,

ok, this makes sense...

Thanks

Klaas

Ken Raeburn schrieb:


>>Hi,

>>after doing kinit the kerberos client creates a krb5 ticket cache file
>>like /tmp/krb5cc_506.

>>Another user having root privileges on this client can optain these
>>ticket cache file and have the network wide rights of the owner of
>>this ticket.

>>Is there any chance that the ticket is stored in memory rather than on
>>the local disk? can i configure it in any way?

> That wouldn't stop someone with full root privileges -- it would just
> slow them down a little bit, if at all.  (Unless your system is really
> crippled such that even root is severely limited in what it can do.)

> The root user could "su" to you, and use your local access to get at
> the shared memory segment or whereever the credentials are stored.
> Usually root has access to such things anyways, just because it's
> root.

> The root user could attach one of your processes with a de* and
> pull out the credentials from the process memory.

> The root user could replace the programs you're planning to run with
> ones that will grab the credentials and stuff a copy in a file
> somewhere.

> Et cetera....

> That said, there may be some benefit to using shared memory segments
> after all.  A user with limited ability to read things as root -- say,
> through some bug in a setuid program or daemon such that the user can
> supply a filename and get a few bytes back -- might not be able to get
> at the shared memory segment.  And someone unplugging and walking off
> with the machine might get the file system contents but not the
> memory.

> There is some old code in the krb4 library for storing some
> information in shared memory, but I don't think anyone has used it in
> a while, and I've no idea how well it worked, what the effect might've
> been of never deleting the shared memory segment (if it's not created
> and deleted by 'login' and friends), etc.  And I don't think we have
> the support in krb5 at all.

> However, there is the CCAPI interface used on Mac and Windows, usually
> implemented through some IPC mechanism, which could be used to
> communicate with a process that keeps the credentials in its memory,
> or manages a shared memory segment.  We aren't supporting that on
> general UNIX platforms at the moment, but if you wanted to work on
> it....
> ________________________________________________

> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________

https://mailman.mit.edu/mailman/listinfo/kerberos
 
 
 

1. [Fwd: Re: krb5 ticket cache]

[ Attached Message ]

From:
To:
Date: Thu, 06 Feb 2003 08:58:12 +0100
Local: Thurs, Feb 6 2003 2:58 am
Subject: Re: krb5 ticket cache
Donn Cave schrieb:

Ok, but when i do this, i cannot use the krb5 credentials for any other
application, e.g. to achieve single sign on.
You are right, of course, gone with the wind...

- Show quoted text -

________________________________________________

https://mailman.mit.edu/mailman/listinfo/kerberos

2. Help...PC freezes when accepting print request from Unix

3. stupid question regarding expired tickets in ticket cache

4. Help: copying SCSI HD under OS 4.2

5. V4 & V5 Tickets using krb5-1.0

6. pdf hyperlink style??

7. system suspending and krb5 ticket expiration...

8. MusiXTeX und MiKTeX konfigurieren!

9. Problems with CNS Ticket manager from krb5-nt-alpha1

10. ticket cache

11. shared memory ticket cache (V4)

12. ticket cache security

13. Extend cred_t, don't use the groups table (was Re: ticket cache security)