Does PAC Validation Require External Communication?

Michael B Allen mba2000 at ioplex.com
Tue May 15 00:17:19 GMT 2007


On Tue, 15 May 2007 09:29:14 +1000
Andrew Bartlett <abartlet at samba.org> wrote:

> > > spoof their way to any (CIFS) user via the PAC, because they could make
> > > up a fake one.  Similarly, as always with kerberos, they could change
> > > the principal in the ticket, etc. 
> > > 
> > > This can be worked around by validating the PAC to the KDC, but should
> > > be of concern to anyone who shares that keytab too broadly (eg with
> > > apache). 
> > 
> > So exploring the Apache example a little more - if Apache loaded the
> > keytab as root when it initialized and stored it in an in-memory only
> > keytab so that workers didn't really have access to it
> 
> You would need to *ensure* the workers didn't have access to it.  (ie,
> the GSSAPI authentication should go via a IPC mechanism.

Or one of the lower level Kerberos checksum verification routines. Sounds
more complicated than it's worth but definitely something to keep in mind.

Mike


More information about the samba-technical mailing list