Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!sdd.hp.com!spool.mu.edu!uunet!shelby!SNLL-ARPAGW.LLNL.GOV!hilary
From: hilary@SNLL-ARPAGW.LLNL.GOV (Hilary Jones)
Newsgroups: comp.protocols.kerberos
Subject: Storing tickets safely
Message-ID: <9103022040.AA09100@snll-arpagw.llnl.gov>
Date: 2 Mar 91 20:40:57 GMT
Sender: news@shelby.stanford.edu (USENET News System)
Organization: Internet-USENET Gateway at Stanford University
Lines: 20

I have a concern about one of the premises of Kerberos, and that is
that storing a ticket on a workstation is somehow more secure than
storing a file containing the user's password.  It seems to me that the
ticket is nothing more than a glorified password, and that this will
become even more apparent if longer-lived passwords become the norm.
We have told our users not to put passwords in their files, but now
we are saying it's okay as long as the "password" is called a "ticket"
and is complicated enough that it's hard to copy.  It seems to me that
the issue of storing tickets hasn't been dealt with very well in
Kerberos as it stands now.

I would feel a lot more comfortable about this if the ticket were
stored in kernel memory, and if there were a positive assurance that it
would would be destroyed when the user's last process exited.  I wouldn't
want the ticket to be destroyed immediately when the user logged out, 
since s/he might have several windows open, or be running a batch job that 
would have to continue to run after s/he logged out.

Will tickets be stored in kernel memory in version 5?  Or is some other
mechanism being planned?