Heads-up: Kerberos default user credential cache location is changing

Stephen Gallagher sgallagh at redhat.com
Mon Jun 25 13:00:02 UTC 2012


On Fri, 2012-06-22 at 09:36 +0100, David Howells wrote:
> Stephen Gallagher <sgallagh at redhat.com> wrote:
> 
> > 1) Credential caches are now stored in a tmpfs location. This is a
> > security feature, as a stolen laptop may not be booted in single-user
> > mode to extract a valid TGT.
> 
> Is it?  Can't tmpfs move stuff arbitrarily out to swap?

Ah, true. This could happen in a low-memory case. I should perhaps
revise this statement then to be "This is a security feature, as a
stolen laptop booted in single user mode will have a much more difficult
time of extracting a valid TGT".

This of course can be further mitigated by the use of encrypted swap
space.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120625/cf18dd3c/attachment.sig>


More information about the devel mailing list