Does PAC Validation Require External Communication?
Henry B. Hotz
hotz at jpl.nasa.gov
Mon May 14 22:21:16 GMT 2007
As I understand it, if you have access to the server's keytab, then
in principle you can forge credentials for anyone, including non-
existent users (but only for that server). What you suggest would
prevent someone faking the PAC data in a credential, and from
inventing a fake user, but they could still fake the credential.
In other words it wouldn't stop John Jones from presenting a fake
credential for Sam Smith that just happened to include the real PAC
data that Sam would have had if it were really Sam.
Am I missing something?
On May 14, 2007, at 2:59 PM, Andrew Bartlett wrote:
> On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote:
>> This link claims MS' PAC verification can require communication with
>> the DC:
>>
>> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx
>>
>> Is this true? If so, services will not be able to authenticate nearly
>> as fast as they otherwise could.
>
> If you think that someone else (not root) has access to the local
> kerberos keytab (or the machine account password), then that user
> could
> spoof their way to any (CIFS) user via the PAC, because they could
> make
> up a fake one. Similarly, as always with kerberos, they could change
> the principal in the ticket, etc.
>
> This can be worked around by validating the PAC to the KDC, but should
> be of concern to anyone who shares that keytab too broadly (eg with
> apache).
>
> On windows, I think a user could run a service, and unless the PAC was
> validated with the KDC, they could use their password to fake their
> way
> down to another more privileged user.
>
> Andrew Bartlett
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the samba-technical
mailing list