Is there a reason that the current Kerberos allows a KRB5CCNAME file to be created instead of being in memory?  This appears to be a weak link in the security of the Kerberos protocol as the file can be moved from system and allow passwordless access to resources the account has access to.  If crafted correctly a compromised system could modify the /etc/krb5.conf file to allow maximum ticket life and renewal then capture keys on the multiuser/compromised system and allow the keys to be moved from system to system with full access.  Shouldn’t the Kerberos tickets be stored in protected memory somehow or in a more secure way?


James Shelby

NREL - Linux Desktop Integrations

(303) 275-3298 Desk/Cell