PAC signature verification for Samba3
abartlet at samba.org
Fri Aug 12 03:55:44 GMT 2005
On Fri, 2005-08-12 at 12:50 +1000, Luke Howard wrote:
> >You don't verify the KDC signature on a member server, so you don't need
> >to worry about that. (This code is in Samba4 for our KDC, not member
> >server side).
> This is half-true: a member server needs to verify the KDC signature if
> a service tries to impersonate whilst running as an unprivileged user.
> Otherwise, a service (which knows its own key) could forge a ticket to
> itself with a PAC containing valid server signatures and SIDs belonging
> to a more privileged user.
> I'm not sure this makes sense under POSIX though (can a non-root
> process set its effective UID to an arbitrary one?). Even if it did you
> want to avoid it if at all possible because the signature validation RPC
> completely destroys the performance advantage of Kerberos authentication,
> being that the accepting service does not need to contact a third party
> in order to authenticate a client.
The scary part of this is due to the implications of
servicePrincipalNames. A single key is shared between what in unix are
services in different security contexts. While we can't ask the kernel
to upgrade us from non-root to another non-root user, the HTTP service
could construct a ticket acceptable to the CIFS service, and elevate
privileges that way.
Given this, I need to think very carefully about how we handle those
secrets, and how keytabs (in particular) are shared about. I think KCM
(Kerberos Credentials Manager) plays a role in here somewhere, but I'm
yet to pin down exactly what it does, except to say it sounds neat :-)
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050812/2826024d/attachment.bin
More information about the samba-technical