On Thu, 2011-05-26 at 14:43 -0400, Simo Sorce wrote: > On Thu, 2011-05-26 at 14:19 -0400, Dmitri Pal wrote: > > Cookie can be stored on the home directory of the user and user home > > directory can be NFS mounted so if we save anything important in the > > cookie the NFS root would be able to impersonate the user. It assumes > > that TGTs are not stored on the NFS in this case so replacing the TGT > > auth with fast session cookie auth would be a security issue. > > I hope I understand the issue correctly. > > We can store the the cookie in the ccache, so that we have it in the > same place the TGT is. We shouldn't save it in the home, as it is > insecure indeed.
I'd like to point out that this is a strong argument for adding the SSSD/LDB Kerberos credential cache. It's unsafe to store the user's credential cache in their home directory (because it may be an NFS mount and therefore vulnerable to root on another machine). However, the other common location for a credential cache is in /tmp, which becomes an issue for systems running with pam_namespace or sandboxing (where different processes have different views of the contents of /tmp). To avoid both of these situations, it might be best for us to store the credential cache in SSSD. For more information, see https://fedorahosted.org/sssd/ticket/652 and https://bugzilla.redhat.com/show_bug.cgi?id=618689
Description: This is a digitally signed message part
_______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel