Excerpts from Firewalls: 26-Oct-93 Re: System Security Richard
> If you think that Kerberos is secure on a multiuser machine, even without
> root tampering, you're misinformed.
As I mentioned, the authenticating host can be remote. This is the same
host that runs the cache manager. The cache manager can be locked in
vault and stripped of user accounts and of all network access (except
for authenticated rpc requests), if you like.
By the way, are you suggesting that a host can't protect its core dumps
or kmem from non-root access? Regardless of where the cache manager
physically resides, I stand by the statement that the authenticating
host is as secure as its root password.