The KEYRING vulnerability was CVE2016-0728. It is obviously fixed nowadays. So, I was not referring to a principle problem.
Having tickets in world-writable locations is a stealing issue. The attacker would try to precreate the well-known ticket cache file with attackers access rights. This lead Ubuntu et al. to use harder to guess variable ticket cache files. The problem is the library-based distributed implementation of Kerberos client side. When there is no known trusted controlling process to create the ticket cache file in the first place, it is hard to establish trust. Our solution was to resort to a trusted service for ticket cache management in the form of sssd and a patched openssh. The user, through the client library, is not able to create new ticket caches in the well-known location, as it is only writable by root. I would expect openssh to need a likewise patch to work with KEYRING ticket caches. –Michael _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
