Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!usc!cs.utexas.edu!uunet!shelby!MIT.EDU!jis From: jis@MIT.EDU (Jeffrey I. Schiller) Newsgroups: comp.protocols.kerberos Subject: Re: Storing tickets safely Message-ID: <9103030407.AA14808@BIG-SCREW> Date: 3 Mar 91 04:07:01 GMT References: <9103022040.AA09100@snll-arpagw.llnl.gov> Sender: jis@ATHENA.MIT.EDU Organization: Internet-USENET Gateway at Stanford University Lines: 42 Whether or not tickets are stored in the Kernel or in a file is not a function of Kerberos, but of the system platforms that run Kerberos. V5 Kerberos provides a ticket cache abstraction which by default stores tickets in a file (because that is the only "portable" thing we can do). However if your system has the appropriate functions to store tickets in the kernel, it should not be hard to implement a ticket cache abstraction that uses it. From: hilary@snll-arpagw.llnl.gov (Hilary Jones) Subject: Storing tickets safely I have a concern about one of the premises of Kerberos, and that is that storing a ticket on a workstation is somehow more secure than storing a file containing the user's password. It seems to me that the ticket is nothing more than a glorified password, and that this will become even more apparent if longer-lived passwords become the norm. ... It *is* more secure to only store the ticket rather then the password. Tickets have a definite, known lifetime. How long that lifetime should be is a trade-off between security and convenience. If a ticket is compromised, the duration of the compromise is bounded. I will also point out that normal (many hour duration) tickets are *not* valid for *password* change requests. This means that compromised tickets cannot be used to change a user's password. Passwords on the other hand have an infinite or at the very least an indeterminate lifetime. A password is valid until it is changed by explicit action (some systems age passwords, but that is another situation). It is therefore more important to protect them better (ie. not store them on the workstation). From a practical point of view this means that if my tickets are stored on a workstation, tomorrow morning I *know* that my account is "safe" (hanky panky may have already happened, but no future hanky panky can happen). If my password was stored on the workstation, I don't *know* that it wasn't compromised. It may well have been stolen, but the thief may not take advantage of it for days. Of course if I am paranoid I could change it (and people with reason to be paranoid should in general change their password often) but that isn't the point. -Jeff