Does PAC Validation Require External Communication?
Andrew Bartlett
abartlet at samba.org
Mon May 14 23:29:14 GMT 2007
On Mon, 2007-05-14 at 19:24 -0400, Michael B Allen wrote:
> On Tue, 15 May 2007 07:59:40 +1000
> Andrew Bartlett <abartlet at samba.org> wrote:
>
> > On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote:
> > > This link claims MS' PAC verification can require communication with
> > > the DC:
> > >
> > > http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx
> > >
> > > Is this true? If so, services will not be able to authenticate nearly
> > > as fast as they otherwise could.
> >
> > If you think that someone else (not root) has access to the local
> > kerberos keytab (or the machine account password), then that user could
> > spoof their way to any (CIFS) user via the PAC, because they could make
> > up a fake one. Similarly, as always with kerberos, they could change
> > the principal in the ticket, etc.
> >
> > This can be worked around by validating the PAC to the KDC, but should
> > be of concern to anyone who shares that keytab too broadly (eg with
> > apache).
> >
> > On windows, I think a user could run a service, and unless the PAC was
> > validated with the KDC, they could use their password to fake their way
> > down to another more privileged user.
>
> Hi Andrew,
>
> So exploring the Apache example a little more - if Apache loaded the
> keytab as root when it initialized and stored it in an in-memory only
> keytab so that workers didn't really have access to it
You would need to *ensure* the workers didn't have access to it. (ie,
the GSSAPI authentication should go via a IPC mechanism. Perhaps to
winbind?).
> , the KDC checksum
> wouldn't really need to be validated and no communication with the KDC
> would be necessary?
Correct. As we don't talk to the KDC in Samba, this is a strict
requirement for a secure system.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070515/7b4714da/attachment.bin
More information about the samba-technical
mailing list