Does PAC Validation Require External Communication?
Henry B. Hotz
hotz at jpl.nasa.gov
Mon May 14 23:04:14 GMT 2007
On May 14, 2007, at 3:26 PM, Andrew Bartlett wrote:
> On Mon, 2007-05-14 at 15:21 -0700, Henry B. Hotz wrote:
>> As I understand it, if you have access to the server's keytab, then
>> in principle you can forge credentials for anyone, including non-
>> existent users (but only for that server). What you suggest would
>> prevent someone faking the PAC data in a credential, and from
>> inventing a fake user, but they could still fake the credential.
>> In other words it wouldn't stop John Jones from presenting a fake
>> credential for Sam Smith that just happened to include the real PAC
>> data that Sam would have had if it were really Sam.
> The PAC includes another signature, with the KDC's private key. This
> signature can validate that the service didn't fake a user to itself.
> Of course, if you hold the keytab for the machine account, you could
> also fake the signed and encrypted communication with the KDC to
> validate the PAC...
. . . but not perfect. Still spoofing another live service is
another barrier to an exploit.
More information about the samba-technical