>Storing: Simply on a ram filesystem and use ACLS to tackle it down to
>the list of users who need it. This is pretty much what KEYRING does,
>with a custom nonstandard api.

FWIW, we are going to KEYRING everywhere; the semantics for what you
want in terms of a credential cache store are almost perfect.  What you
DON'T want to do is store credentials on a filesystem (be it in RAM or
on spinning disk); been there, done that.  As for the leaking of information
across chroot/Docker containers ... I'm trying to imagine how that would
be an actual security problem in practice.  I could be proven wrong, of
course, but I'd like to see some more concrete risks here.

--Ken
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to