| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Sep 2016 22:18:20 +0200
From: Cedric Blancher <cedric.blancher@...il.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Fwd: KEYRING:persistent and ssh
FYI, keyring support is pretty much dead.
Ced
---------- Forwarded message ----------
From: Lionel Cons <lionelcons1972@...il.com>
Date: 28 September 2016 at 17:25
Subject: Re: KEYRING:persistent and ssh
To: t Seeger <tseegerkrb@...il.com>
Cc: kerberos@....edu
Storing: Simply on a ram filesystem and use ACLS to tackle it down to
the list of users who need it. This is pretty much what KEYRING does,
with a custom nonstandard api.
FYI by policy CERN has forbidden the use of Linux KEYRING because of
several security breaches (info bleeds through chroot&co) and mostly
have patched the kernel to just issue a errno not supported if someone
tries to use Linux KEYRING).
Lionel
On 28 September 2016 at 13:42, t Seeger <tseegerkrb@...il.com> wrote:
>> On 27 Sep 2016, at 15:20, Tina Harriott <tina.harriott.math@...il.com> wrote:
>>
>>> On 16 September 2016 at 16:02, t Seeger <tseegerkrb@...il.com> wrote:
>>> Hello,
>>>
>>> i have a little problem with the 'KRB5CCNAME' environment variable. I set
>>> the default_ccache_name to KEYRING:persistent:%{uid} but if i login it is
>>> set to "file:/tmp/krb5cc_${uid}_XXXXXXXXXX" cause ssh sets the KRB5CCNAME
>>> to file:/tmp/krb5cc_${uid}_XXXXXXXXXX...
>>> I found a workaround with adding "unset KRB5CCNAME" to /etc/bash.bashrc but
>>> this is not very nice.
>>> Did anyone had a similar problem and found a solution?
>>>
>>> Many thanks in advance and best regards
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@....edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> FYI KEYRING: will be removed in future versions of Linux kernel
>> because of the ongoing design defects.
>> Also, KEYRING is not secure, under certain scenarios (DOCKER&et al)
>> unrelated users/uids can obtain the secure data.
>>
>> Tina
>> --
>> Tina Harriott - Women in Mathematics
>> Contact: tina.harriott.math@...il.com
>
> Thank you for your replay. I have two questions. First can you tell me what is the best practice way to store the credential cache and second where can I find more informations about the plan to remove the KEYRING from the kernel?
>
> Thorsten
> ________________________________________________
> Kerberos mailing list Kerberos@....edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Lionel
________________________________________________
Kerberos mailing list Kerberos@....edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Cedric Blancher <cedric.blancher@...il.com>
[https://plus.google.com/u/0/+CedricBlancher/]
Institute Pasteur
Powered by blists - more mailing lists