Heads-up: Kerberos default user credential cache location is changing

Simo Sorce simo at redhat.com
Mon Jun 25 13:22:59 UTC 2012

On Mon, 2012-06-25 at 09:00 -0400, Stephen Gallagher wrote:
> On Fri, 2012-06-22 at 09:36 +0100, David Howells wrote:
> > Stephen Gallagher <sgallagh at redhat.com> wrote:
> > 
> > > 1) Credential caches are now stored in a tmpfs location. This is a
> > > security feature, as a stolen laptop may not be booted in single-user
> > > mode to extract a valid TGT.
> > 
> > Is it?  Can't tmpfs move stuff arbitrarily out to swap?
> Ah, true. This could happen in a low-memory case. I should perhaps
> revise this statement then to be "This is a security feature, as a
> stolen laptop booted in single user mode will have a much more difficult
> time of extracting a valid TGT".
> This of course can be further mitigated by the use of encrypted swap
> space.

If you are concerned about security of laptops and do not encrypt swap
you do not care about leaking TGTs, IMHO.
Of course another solution is to simply have no swap, but that would
prevent hybernation I think, which may be a desirable feature.

Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list