-
Title
Kerberos Ticket Cache Files Created in /tmp on RHEL 9.6 Systems Integrated with Active Directory via SAS (Safeguard Authentication Services) -
Description
The security team identified a potential security exposure on RHEL 9.6 servers joined to Active Directory using SAS (Safeguard Authentication Services).
Kerberos credential cache files (ticket-granting tickets and service tickets) are being created and stored in the /tmp directory.
This behavior raises concerns about:
1. Possible impersonation
2. Potential lateral movement within the Active Directory domain if the ticket cache is accessed
Seeks clarification on:
1. Whether this behavior is caused by SSSD configuration
2. Or if it originates from QAS/PAM Kerberos handling
-
Cause
This behavior is expected and has historically existed in Kerberos-based authentication workflows when integrated via SAS PAM modules (such as pam_vas3.so).
Key points:
1. Kerberos tickets are cached locally after successful authentication to enable single sign-on (SSO)
2. By default, these credential cache files may be created under /tmp
3. Accessing these cache files requires root-level privileges
From a security standpoint:1. If an attacker already has root access, the system is fully compromised
2. Root access allows far more severe actions, including:
- Credential scraping
- Password interception
- Privilege escalation across the domain
3. Compared to those risks, stealing Kerberos tickets is a lower-impact concern because:
- Tickets are time-limited
- They expire automatically based on Kerberos lifetime policies
Therefore, this behavior is not considered a vulnerability by itself but rather standard Kerberos operation.
-
Resolution
To prevent the creation of Kerberos ticket cache files in the /tmp directory, the environment can be configured by adding the no_store_creds option to any pam_vas3.so entries within the PAM configuration files located under /etc/pam.d.