Re: Heads-up: Kerberos default user credential cache location is changing
On Mon, 2012-06-25 at 09:00 -0400, Stephen Gallagher wrote: On Fri, 2012-06-22 at 09:36 +0100, David Howells wrote: Stephen Gallagher sgall...@redhat.com wrote: 1) Credential caches are now stored in a tmpfs location. This is a security feature, as a stolen laptop may not be booted in single-user mode to extract a valid TGT. Is it? Can't tmpfs move stuff arbitrarily out to swap? Ah, true. This could happen in a low-memory case. I should perhaps revise this statement then to be This is a security feature, as a stolen laptop booted in single user mode will have a much more difficult time of extracting a valid TGT. This of course can be further mitigated by the use of encrypted swap space. If you are concerned about security of laptops and do not encrypt swap you do not care about leaking TGTs, IMHO. Of course another solution is to simply have no swap, but that would prevent hybernation I think, which may be a desirable feature. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Heads-up: Kerberos default user credential cache location is changing
Stephen Gallagher sgall...@redhat.com wrote: 1) Credential caches are now stored in a tmpfs location. This is a security feature, as a stolen laptop may not be booted in single-user mode to extract a valid TGT. Is it? Can't tmpfs move stuff arbitrarily out to swap? David -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Heads-up: Kerberos default user credential cache location is changing
As part of two related Fedora 18 Features[1][2], the default location that Kerberos credential caches will be stored (when logging in through SSSD or pam_krb5) will be changing from its existing location of FILE:/tmp/krb5cc_UID_XX to a new default of DIR:/run/user/UID/ccdir This gains multiple advantages: 1) Credential caches are now stored in a tmpfs location. This is a security feature, as a stolen laptop may not be booted in single-user mode to extract a valid TGT. 2) Credential caches have switched to the DIR: cache type, which allows acquiring tickets for multiple Kerberos realms simultaneously. This means that you can have SSO credentials for the realm you logged into, as well as getting additional credentials for other realms (example case: login to your corporate account, also get kerberos credentials for a partner account). 3) The credential cache is now stored in a well-known and better-protected location than /tmp. Applications such as GSSD that require access to a user's Kerberos credential cache can now know to look specifically at DIR:/run/user/UID/ccdir, rather than trolling /tmp for a credential cache they have privilege to read. Some users may be surprised at the loss of reboot-persistent credential caches, despite the obvious security benefits. In that case, SSSD and pam_krb5 can be configured to store the credentials in a different, persistent location. It's important to note that, due to the proposal to change /tmp to tmpfs and/or encapsulate it in a pam_namespace, keeping the credentials in /tmp would still have changed this default behavior. This email is intended to inform any Kerberos-using applications that they should start making themselves capable of using the new default location for credential caches. Those who wish to test this with SSSD Kerberos logins can do so with sssd-1.9.0-7.fc18.beta2 which should be available in your local rawhide mirror by now. [1] https://fedoraproject.org/wiki/Features/KRB5CacheMove [2] https://fedoraproject.org/wiki/Features/KRB5DirCache signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
