>Storing: Simply on a ram filesystem and use ACLS to tackle it down to >the list of users who need it. This is pretty much what KEYRING does, >with a custom nonstandard api.
FWIW, we are going to KEYRING everywhere; the semantics for what you want in terms of a credential cache store are almost perfect. What you DON'T want to do is store credentials on a filesystem (be it in RAM or on spinning disk); been there, done that. As for the leaking of information across chroot/Docker containers ... I'm trying to imagine how that would be an actual security problem in practice. I could be proven wrong, of course, but I'd like to see some more concrete risks here. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos