[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

Ken Hornstein kenh@cmf.nrl.navy.mil
Thu, 30 Aug 2007 11:33:07 -0400 

>So, I think it's important to recognize that nothing you devise will be 
>foolproof. Anyone who wants to shoot themselves in the foot and give away their 
>security tokens can always find a way to do so, and even people who don't want 
>to can frequently be tricked into doing so anyway.

While I agree with those statements, I think it's important to hear from
someone who's been "in the trenches", so to speak.

Like I said previously, I implemented a shared-descriptor credential
cache a few years ago and we've been using it in production since then
(it's the one Russ mentioned earlier).  It works, but it doesn't use
mmap() (and incidently, Mike, if you don't want to reinvent the wheel
let me know privately if you want this code; it's specific to MIT, but
at least it's been battle-hardended and I don't see any reasons why
you couldn't port it to Heimdal).

Is this cache foolproof?  No, definately not.  It could be defeated by
a relatively sophisticated attacker or a user who was actively working
against it.  But this all gets back to the slippery nature of security
in the real world; fundamentally, I don't believe there is a solution
to security on untrusted multiuser systems today.  You just have to do
the best that you can and hope your users aren't actively out to
screw you.

This cache was written in response to a series of attacks we were under
where a relatively unsophisticated attacker figured out how to steal
file credential caches.  When we implemented this credential cache, we
saw a real, measurable improvement in security (the attacks stopped
cold).  So I view it as a success, and to this date we have not had
an attacker figure out how to break it.

Doing a session-based credential cache raises the bar for an attacker.
It can still be defeated of course, but does that mean raising the bar
is not worthwhile?  I believe the answer is "raising the bar is
worthwhile", and my experience backs me up.  Like I said, this ain't
perfect, but I challenge anyone to do better given the constraints
we were under.

Session-based credentials for Kerberos are almost completely orthogonal
to what to do about filesystems that want access to Kerberos
credentials.  I think it makes sense to stick to one or the other;
talking about both at the same time tends to muddy the waters.

--Ken