Path: utzoo!utgpu!watserv1!watmath!att!pacbell.com!ames!rex!wuarchive!zaphod.mps.ohio-state.edu!tut.cis.ohio-state.edu!ucbvax!agate!shelby!ATHENA.MIT.EDU!qjb From: qjb@ATHENA.MIT.EDU Newsgroups: comp.protocols.kerberos Subject: Storing tickets safely Message-ID: <9103040710.AA18350@soup.MIT.EDU> Date: 4 Mar 91 07:10:09 GMT Sender: news@shelby.stanford.edu (USENET News System) Organization: Internet-USENET Gateway at Stanford University Lines: 32 Kerberos version V does indeed have support for arbitrary ticket caching mechanisms. The terminology has been changed to "credentials cache" since this is really what the ticket file is. Kerberos V supports arbitrary interface to this cache. There is a structure of functions (sort of like the way X toolkit works). You need to implement certain routines according to specification, and then the library will take care of the rest. (I'm glossing over the details, of course.) If you wanted to write a kernel interface for credentials caching, you could do so without having to otherwise modify any part of the kerberos code. There is a similar mechanism for srvtabs so that, for example, you could have servers' keys stored in the kernel. If necessary, you could get this by requiring that an operator be present to type passwords at boot time. Even in Kerberos there is some support for something better than the filesystem. Shared memory ticket files are implemented and should work on some systems that support shared memory. I know that this code works under Ultrix. I know that we have gotten the code to work on a PS/2 running AIX, but I doubt that we sent any patches to the kerberos list if patches were necessary. This still doesn't stop someone from stealing your credentials, but it makes the job considerably more difficult and provides a bit of added safety for clients with diskless workstations (though probably not as much as would be desired.) I should give the disclaimer that my knowledge of Kerberos V is based largely on design discussions that took place last summer. Jay Berkenbilt Project Athena