Path: utzoo!attcan!uunet!tut.cis.ohio-state.edu!mailrus!ames!eos!shelby!ulysses.att.com!smb
From: smb@ulysses.att.com
Newsgroups: comp.protocols.kerberos
Subject: Re: Questions about vulnerability of ticket cache file
Message-ID: <9006041745.AA21068@ATHENA.MIT.EDU>
Date: 4 Jun 90 17:43:48 GMT
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 26


	 Hello,

	 It seems to me that if my workstation allows more than one
	 login, someone with the root password can read my ticket cache
	 file and hence impersonate me.

	 1) Is this a problem in practice, or have I misunderstood
	 something?

Yes, it's a problem *if* someone is able to log in remotely.  That
is usually not the case at Project Athena.

	 2) If it is a problem, will the next release of Kerberos be
	 providing some facility to deal with it?

There is no defense against root on standard UNIX systems.

	 3) It seems like one solution would be a new device driver,
	 providing ticket cache files that are readable only by the
	 owner and not by root.  Is this a reasonable approach?

No, because root could just read /dev/kmem.  It's a bit harder, but
by no means difficult.  Using a device bound to a login session -- to
/dev/tty, for example -- eliminates the problem of tickets not being
destroyed at logout time, but does nothing to protect against root.