| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALXu0UejOGVj55+FMX0qYkHF8ZWe02f=ZwSgWfL2_0PAPBnovA@mail.gmail.com>
Date: Wed, 21 Sep 2016 20:20:07 +0200
From: Cedric Blancher <cedric.blancher@...il.com>
To: Russ Allbery <eagle@...ie.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Cc: tseegerkrb <tseegerkrb@...il.com>,
"<kerberos@....edu>" <kerberos@....edu>
Subject: Remove KEYRING from kernel! Re: KEYRING:persistent and ssh
Depends what you call "nice". KEYRING is a gaping security hole in
case of Docker or chrooted apps because it "leaks" keys through the
isolation AND does this randomly even into other Docker instances.
IMO the whole KEYRING stuff should be removed from the Linux kernel
and replaced with a sane design.
Ced
On 21 September 2016 at 20:03, Russ Allbery <eagle@...ie.org> wrote:
> tseegerkrb <tseegerkrb@...il.com> writes:
>
>> Thanks for your help. Is my setup so special (kerberos/OpenLDAP/sssd/sshd)
>> nobody using it? I think i will ask debian/ubuntu or the openssh
>> maintainer for help.
>
> It's sadly quite unusual to use non-FILE ticket caches. I wish it
> weren't, since KEYRING has nice security properties, but it's relatively
> new and the rest of the world has definitely not adapted yet.
>
> --
> Russ Allbery (eagle@...ie.org) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@....edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Cedric Blancher <cedric.blancher@...il.com>
[https://plus.google.com/u/0/+CedricBlancher/]
Institute Pasteur
Powered by blists - more mailing lists