PAC signature verification for Samba3

Andrew Bartlett abartlet at samba.org
Fri Aug 12 03:55:44 GMT 2005 

On Fri, 2005-08-12 at 12:50 +1000, Luke Howard wrote:
> >You don't verify the KDC signature on a member server, so you don't need
> >to worry about that.   (This code is in Samba4 for our KDC, not member
> >server side).
> 
> This is half-true: a member server needs to verify the KDC signature if
> a service tries to impersonate whilst running as an unprivileged user.
> Otherwise, a service (which knows its own key) could forge a ticket to
> itself with a PAC containing valid server signatures and SIDs belonging
> to a more privileged user.
> 
> I'm not sure this makes sense under POSIX though (can a non-root
> process set its effective UID to an arbitrary one?). Even if it did you
> want to avoid it if at all possible because the signature validation RPC
> completely destroys the performance advantage of Kerberos authentication,
> being that the accepting service does not need to contact a third party
> in order to authenticate a client.

The scary part of this is due to the implications of
servicePrincipalNames.  A single key is shared between what in unix are
services in different security contexts.  While we can't ask the kernel
to upgrade us from non-root to another non-root user, the HTTP service
could construct a ticket acceptable to the CIFS service, and elevate
privileges that way.

Given this, I need to think very carefully about how we handle those
secrets, and how keytabs (in particular) are shared about.  I think KCM
(Kerberos Credentials Manager) plays a role in here somewhere, but I'm
yet to pin down exactly what it does, except to say it sounds neat :-)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050812/2826024d/attachment.bin

More information about the samba-technical mailing list